[CDP-development] TLP: Green (Vulnerability Alert Notification): CVE-2022-2586 - Linux Kernel Use-After-Free Vulnerability

Thu Jun 27 09:55:27 PDT 2024

Good morning,

The SOC Services team is reporting on the vulnerability: CVE-2022-2586: Linux Kernel Use-After-Free Vulnerability. Due to its high visibility and its listing on CISA's Known Exploited Vulnerability database, we are providing this in-depth information:

History: On January 8, 2024, CVE-2022-2586: Linux Kernel Use-After-Free Vulnerability was released by the National Vulnerability Database (NVD). The vulnerability currently is assigned a CVSSv3 score of 7.8 (High). Additionally, this vulnerability has been released by CISA through its Known Exploited Vulnerability Catalog on June 26, 2024.

Affected Versions:

The number of affected operating systems is extensive; therefore, we will not be providing a list of affected software. However, you can find the affected operating systems on the Ubuntu site. The website link is: https://ubuntu.com/security/CVE-2022-2586

Intelligence: As of June 26, 2024, the vulnerability has been confirmed as being exploited in the wild.

Workarounds:  At this time there are no workarounds.

How it works: The vulnerability flaw exists within the handling of nft_objects. It was discovered that the netfilter subsystem of the Linux kernel did not prevent one nft object from referencing an nft set in another nft table, leading to a use-after-free vulnerability. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Additionally, it was discovered that a nft object or expression could reference a nft set on a different nft table, also enables a possible escalation of privileges leading to a use-after-free once that table was deleted. Exploiting it requires CAP_NET_ADMIN in any user or network namespace.

Post-Exploit: Upon successful exploitation, a threat actor could initiate a use-after-free situation and supply a string of size 0xc7 (matching the nft_object counter allocation). This could result in local privilege escalation and permit execution of arbitrary code.

As of June 26, 2024, Tenable has 63 plugins for this vulnerability, which can be found here: https://www.tenable.com/plugins/search?q=%22CVE-2022-2586%22&sort=&page=1. Alternatively, you can log into Tenable.sc and utilize the search bar at the top right corner on your dashboard, enter CVE-2022-2586 to find any results.
Recommended Actions:

  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services

[cid:image001.png at 01DAC876.60384ED0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240627/7ea49599/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240627/7ea49599/attachment-0001.png>