{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-018.pdf"
    },
    "title": "Serious Vulnerability in Linux Kernel",
    "serial_number": "2022-018",
    "publish_date": "17-03-2022 09:28:00",
    "description": "On February 22, Red Hat released a security advisory for fixing a severe vulnerability in the \"netfilter\" subcomponent in the Linux kernel. Listed as CVE-2022-25636 with a CVSS score of 7.8, it could allow a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation. This vulnerability is present in all recent major distributions and exploits for this vulnerability ware already published.<br>It is recommended to update the Linux distributions as soon as possible.",
    "url_title": "2022-018",
    "content_markdown": "---\ntitle: 'Serious Vulnerability in\u00a0Linux Kernel'\nversion: '1.0'\nnumber: '2022-018'\ndate: 'March 17, 2022'\n---\n\n_History:_\n\n* _17/03/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn February 22, Red Hat released a security advisory for fixing a severe vulnerability in the `netfilter` subcomponent in the Linux kernel. Listed as CVE-2022-25636 with a CVSS score of 7.8, it could allow a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation [1]. This vulnerability is present in all recent major distributions and  **exploits for this vulnerability ware already published** [2].\n\nIt is recommended to update the Linux distributions as soon as possible.\n\n# Technical Details\n\nAn out-of-bounds (OOB) memory access flaw was found in `nft_fwd_dup_netdev_offload` in `net/netfilter/nf_dup_netdev.c` in the `netfilter` subcomponent in the Linux kernel due to a heap out-of-bounds write problem [2]. \n\n# Affected Products\n\nThis vulnerability is present in the Linux kernel versions 5.4 through 5.6.10. on all major distributions such as Red Hat Enterprise Linux (RHEL) 8.x; Debian Bullseye; Ubuntu Linux, and SUSE Linux Enterprise 15.3 [3]. \n\nWhile the Linux kernel `netfilter` patch has been made available [4], the patch is not available yet in all distributions. \n\n\n# Recommendations and Mitigations\n\nCERT-EU recommends following the specific steps listed for each of the following Linux distributions:\n\n- Debian Bullseye, more details in [5];\n- Ubuntu releases, more details in [6];\n- Suse Linux Enterprise, more details in [7] and [8];\n- RedHat Hat Enterprise Linux more details in [9].\n\n# References\n\n[1] <https://access.redhat.com/security/cve/CVE-2022-25636>\n\n[2] <https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/>\n\n[3] <https://www.zdnet.com/article/nasty-linux-netfilter-firewall-security-hole-found/>\n\n[4] <https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git/commit/?id=b1a5983f56e371046dcf164f90bfaf704d2b89f6>\n\n[5] <https://security-tracker.debian.org/tracker/CVE-2022-25636>\n\n[6] <https://ubuntu.com/security/CVE-2022-25636>\n\n[7] <https://www.suse.com/security/cve/CVE-2022-25636.html>\n\n[8] <https://www.suse.com/support/kb/doc/?id=000020615>\n\n[9] <https://access.redhat.com/security/cve/CVE-2022-25636>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>17/03/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On February 22, Red Hat released a security advisory for fixing a severe vulnerability in the <code>netfilter</code> subcomponent in the Linux kernel. Listed as CVE-2022-25636 with a CVSS score of 7.8, it could allow a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation [1]. This vulnerability is present in all recent major distributions and <strong>exploits for this vulnerability ware already published</strong> [2].</p><p>It is recommended to update the Linux distributions as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>An out-of-bounds (OOB) memory access flaw was found in <code>nft_fwd_dup_netdev_offload</code> in <code>net/netfilter/nf_dup_netdev.c</code> in the <code>netfilter</code> subcomponent in the Linux kernel due to a heap out-of-bounds write problem [2]. </p><h2 id=\"affected-products\">Affected Products</h2><p>This vulnerability is present in the Linux kernel versions 5.4 through 5.6.10. on all major distributions such as Red Hat Enterprise Linux (RHEL) 8.x; Debian Bullseye; Ubuntu Linux, and SUSE Linux Enterprise 15.3 [3]. </p><p>While the Linux kernel <code>netfilter</code> patch has been made available [4], the patch is not available yet in all distributions. </p><h2 id=\"recommendations-and-mitigations\">Recommendations and Mitigations</h2><p>CERT-EU recommends following the specific steps listed for each of the following Linux distributions:</p><ul><li>Debian Bullseye, more details in [5];</li><li>Ubuntu releases, more details in [6];</li><li>Suse Linux Enterprise, more details in [7] and [8];</li><li>RedHat Hat Enterprise Linux more details in [9].</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://access.redhat.com/security/cve/CVE-2022-25636\">https://access.redhat.com/security/cve/CVE-2022-25636</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/\">https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.zdnet.com/article/nasty-linux-netfilter-firewall-security-hole-found/\">https://www.zdnet.com/article/nasty-linux-netfilter-firewall-security-hole-found/</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git/commit/?id=b1a5983f56e371046dcf164f90bfaf704d2b89f6\">https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git/commit/?id=b1a5983f56e371046dcf164f90bfaf704d2b89f6</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://security-tracker.debian.org/tracker/CVE-2022-25636\">https://security-tracker.debian.org/tracker/CVE-2022-25636</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://ubuntu.com/security/CVE-2022-25636\">https://ubuntu.com/security/CVE-2022-25636</a></p><p>[7] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.suse.com/security/cve/CVE-2022-25636.html\">https://www.suse.com/security/cve/CVE-2022-25636.html</a></p><p>[8] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.suse.com/support/kb/doc/?id=000020615\">https://www.suse.com/support/kb/doc/?id=000020615</a></p><p>[9] <a rel=\"noopener\" target=\"_blank\" href=\"https://access.redhat.com/security/cve/CVE-2022-25636\">https://access.redhat.com/security/cve/CVE-2022-25636</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}