Nothing is quite as vexing as a security hole in a security program. Xiaochen Zou, a graduate student at the University of California, Riverside, went looking for bugs in Linux and found a whopper. This vulnerability, CVE-2022-27666, in IPSec‘s esp6 (Encapsulating Security Payload) crypto module can be abused for local privilege escalation.
The problem is your basic heap overflow hole. Xiaochen explained that “the basic logic of this vulnerability is that the receiving buffer of a user message in esp6 module is an 8-page buffer, but the sender can send a message larger than 8 pages, which clearly creates a buffer overflow.” Yes, yes it will.
As buffer overflows always are, this is bad news. As Red Hat puts it in its security advisory on the bug, “This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.”
This is bad enough that both Red Hat and the National Institute of Standards and Technologies (NIST) give the hole a high Common Vulnerability Scoring System (CVSS) score of 7.8. Or, as I like to call vulnerabilities with such high scores, it’s a “Fix it now!” bug.
Also: Linux developers patch security holes faster than anyone else, says Google Project Zero
Red Hat also noted that if a Linux system is already using IPsec and has IPSec Security Associations (SA) configured, then no additional privileges are needed to exploit the hole. Since almost everyone uses IPSec and SAs are essential for the network security protocol, this means pretty much everyone with the vulnerable code in their Linux distro is open to attack.
Xiaochen has found that the latest Ubuntu, Fedora, and Debian Linux distros can be hacked with it. Red Hat reports that Red Hat Enterprise Linux (RHEL) 8 is vulnerable. Specifically, if your Linux contains a 2017 esp6 crypto module, which contains the commits cac2661c53f3 and 03e2a30f6a27, it’s attackable.
Usually, such an attack can knock a Linux system offline. Xiaochen dug into it deeper and found more. On his hunt, he found a way to get around Kernel Address-space Layout Randomization (KASLR). KASLR, as the name says, makes it harder to exploit memory vulnerabilities by placing processes at random, rather than fixed, memory addresses.
Also: Nasty Linux netfilter firewall security hole found
Then, after hanging the process, an attacker can use Filesystem in User Space (FUSE) to create his own filesystem and map memory on it. Consequently, all the read and write going through that memory will be handled by his own file system. Once that’s done, it’s relatively trivial to get root in the system. And, as we all know, once the attacker has root, it’s game over. The attacker’s now in charge of the computer.