Linux Kernel Vulnerability Allows Privilege Escalation

What is CVE-2022-29581?

There is a vulnerability in the Linux Kernel that allows an attacker with system access to elevate to root privileges. This would allow them to execute arbitrary code to establish persistent access, move laterally, or exfiltrate data.

The vulnerability is a use-after-free issue with the Network Queuing and Scheduling subsystem of the Kernel that doesn’t properly count references, according to the Ubuntu security team. In addition to elevation of privileges, an attacker with local access could exploit the vulnerability to crash the system and deny service.

Linux Kernel versions between 4.14 and 5.18 are vulnerable to attack. The vulnerability has not yet been scored by NIST.

What is a Use-After-Free Vulnerability?

A use-after-free vulnerability is an issue related to incorrect use of dynamic memory during program operation, according to MITRE.

So, what does that actually mean? As programs run on a computer, they can request to reserve a section of memory in that computer to execute. Once the program is finished with the execution for which it needed the memory, it usually requests to “free” it, since it doesn’t need it anymore.

When a program has a use-after-free vulnerability, it’s typically because there’s an error in the program, or confusion over which part of the program is supposed to free the memory in the first place.

The vulnerable program then references the now-freed memory, which could be allocated to any other program. This can be bad, as an attacker could insert or reference code in the freed, but still referenced, memory to do things like execute arbitrary code or elevate privileges.

Recommended Remediation

Almost all distributions are still assessing and triaging the potential impact of CVE-2022-20581 on their distribution. Since this is a vulnerability in the Linux Kernel, it can be assumed that the vulnerability will impact a large portion of distributions.

If you’re running Linux in your environment, we strongly recommend monitoring the distributions you run for impact and subsequent patches in the coming days. Or, implement a recurring, automated patch deployment to ensure your systems are secured as soon as a patch is released for each affected distribution. Here’s how you can do that using Automox.

Since an attacker could elevate existing access to root privileges, we recommend remediating within 72 hours of patch release for any affected distributions.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.

Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic