Security researcher Davide Ornaghi recently discovered a new privilege escalation vulnerability in the Linux kernel that could allow a local attacker to run code on affected systems with elevated privileges. Davide also posted the proof of concept and description. The bug listed as CVE-2023-0179 is a stack-based buffer overflow that exists in the Netfilter subsystem. An authorized attacker could exploit this flaw to gain elevated privileges as root when running a program carefully written for this purpose.
The vulnerability consists of a stack buffer overflow of an integer underflow vulnerability within the nft_payload_copy_vlan function, which is called with nft_payload expressions as long as a VLAN tag is present in the current skb, Ornaghi explains. In fact, the Linux kernel has a framework known as a netfilter to implement a variety of network-related actions in the form of individual handlers. This can be done by filtering incoming network packets. Netfilter offers various functions for packet filtering, network address translation and port translation.
These features allow Netfilter to provide the functionality required to route packets through a network. According to the security researcher, the Linux kernel 6.2.0-rc1 released in October is vulnerable to the CVE-2023-0179 vulnerability. This vulnerability can be exploited to cause disclosure of stack and heap addresses and the possibility of local privilege escalation to the root user through arbitrary code execution. Users are strongly advised to update their Linux servers as soon as possible and apply distribution patches as they become available.
It’s also a good idea to only allow trusted people access to local systems and to constantly audit compromised systems. At the moment Davide found the solution and released a bug fix. If you cannot resolve this bug, disabling nonprivileged user namespaces will prevent exploitation. Last month, a Cvss 10 vulnerability was discovered in the Linux kernel SMB server. The bug gives an unauthenticated user the ability to run code remotely.
The CVSS (Common Vulnerability Scoring System) system, used by organizations around the world, makes it possible to capture the main characteristics of a security breach and assign it a number and a score that reflects its severity. This numerical score can then be translated into a qualitative representation (e.g., low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes. According to cybersecurity researchers, a vulnerability with a score of 10 is not at all reassuring and should be taken seriously by users.
The vulnerability in the kernel, discovered last month, allows arbitrary code to be executed on affected installations. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable. The specific bug is in the handling of SMB2_TREE_DISCONNECT commands. The problem results from not validating that an object exists before performing operations on that object. An attacker could exploit this vulnerability to run code in kernel context. Linux has released an update to fix this vulnerability.
Source: Vulnerability description CVE-2023-0179
And you?
What is your opinion on the topic?
See also
A vulnerability with a CVSS score of 10 has been discovered in the Linux kernel. This vulnerability only affects systems with ksmbd enabled and an update has been released to fix it
Version 6.2 of the Linux kernel would promise many filesystem improvements, at the same time, next-generation Linux filesystems are not advancing rapidly.
Linus Torvalds announces the availability of Linux 6.1: After 31 years, Rust, a second language for kernel development, is accepted as a candidate for the abolition of C