Service Notices

All Notices > Security Notices > Linux Netfilter Local Privilege Escalation Vulnerability (CVE-2021-22555)

Linux Netfilter Local Privilege Escalation Vulnerability (CVE-2021-22555)

Jul 19, 2021 GMT+08:00

I. Overview

Security researchers have disclosed the Linux Netfilter privilege escalation vulnerability (CVE-2021-22555). The memcpy() and memset() functions in the Linux Netfilter module have defects. Attackers can exploit the vulnerabilities to escalate privileges and escape from docker and Kubernetes containers. (POC of this vulnerability has been disclosed.)

Linux Netfilter is a management framework used for packet filtering, network address translation (NAT), and protocol-based connection. If you are a Linux Netfilter user, check your versions and implement timely security hardening.

References:

https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html#achieving-use-after-free

https://github.com/google/security-research/security/advisories/GHSA-xxx5-8mvq-3528

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Linux Kernel version 2.6.19 (9fa492cdc160cd27ce1046cb36f47d3b2b1efa21) and later

Secure versions:

Linux Kernel versions 5.12 (b29c457a6511435960115c0f548c4360d5f4801d), 5.10.31, 5.4.113, 4.19.188, 4.14.231, 4.9.267, and 4.4.267

IV. Vulnerability Handling

Non-container scenario (local privilege escalation risk):

1. This vulnerability has been fixed in the newly released official versions. If your service version falls into the affected range, upgrade it to a latest secure version. Link: https://www.kernel.org/

2. According to Red Hat official suggestions, perform the following operations to forbid non-privileged users from executing CLONE_NEWUSER and CLONE_NEWNET:

echo 0 > /proc/sys/user/max_user_namespaces

Container scenario (container escape risk):

1. Upgrade the kernel to a secure version.

2. Run echo 0 > /proc/sys/user/max_user_namespaces.

3. Enable the seccomp function of the container to avoid container escapes. (Before enabling this function, evaluate the possible impact on performance and services.)

For details about the fixed versions of Linux vendors, see the security notices of the vendors.

Red Hat: https://access.redhat.com/security/cve/CVE-2021-22555

Debian: https://security-tracker.debian.org/tracker/CVE-2021-22555

Ubuntu: https://ubuntu.com/security/CVE-2021-22555

SUSE: https://www.suse.com/security/cve/CVE-2021-22555/

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.