CVE-2022-32250 Linux Kernel privilege escalation vulnerability, a use-after-free bug - unclear situation

[fst-net]

Describe the bug

Dear Raspi Team,
since June I'm waiting of a patch for CVE-2022-32250
Linux Kernel privilege escalation vulnerability, a use-after-free bug that was found in the Linux kernel’s net/netfilter/nf_tables_api.c.

It looks like that isn't patched yet.

In stock Debian this flaw is patched long time ago, of course for Kernel 5.10 an 5.18,
https://security-tracker.debian.org/tracker/CVE-2022-32250
but RaspiOS uses Kernel 5.15?

One of my four Raspis is normally online with ssh access for external users. Because of this security flaw it must going offline for three month until now.

A fix or reply with a clarification would be nice.
See more information about it:
https://securityonline.info/cve-2022-32250-linux-kernel-privilege-escalation-vulnerability/

Best Regards
Macomaniac

Steps to reproduce the behaviour

as normal user pi
unshare -Unr /bin/bash
looks to get a root shell

and as root
capsh --decode=$(grep CapEff /proc/self/status | cut -f2)
0x0000000000000000=
list still the vulnarable cap_net_admin right.

I try also the latest kernel via rpi-update with no difference (see below under system).

Device (s)

Raspberry Pi 2 Mod. B

System

Generated using pi-gen, https://github.com/RPi-Distro/pi-gen, 80d486687ea77d31fc3fc13cf3a2f8b464e129be, stage5

Aug 26 2022 14:04:36
Copyright (c) 2012 Broadcom
version 102f1e848393c2112206fadffaaf86db04e98326 (clean) (release) (start)

Linux Raspi-2 5.15.65-v7+ #1583 SMP Wed Sep 7 15:40:11 BST 2022 armv7l GNU/Linux

Logs

No response

Additional context

Davin from the Raspberrypi forum said I should open an issue here on github.

[pelwell]

As an LTS kernel, 5.15 received the back-port of the fix on Jun 6 2022 as part of 5.15.45 - see f692bcf. This was merged into rpi-5.15.y on the same day (b529410) and first appeared in the rpi-firmware releases the following day, hitting the stable branch on August 11 2022.

[fst-net]

Dear pelwell,
thanks for your fast response.

Sounds good, but I'm wondering that the tests (of course out from another forum)
unshare -Unr /bin/bash (as normal user)
capsh --decode=$(grep CapEff /proc/self/status | cut -f2) (as root)

looks like Raspios Kernel 5.15.65 it's still vulnerable, because same tests on patched Ubuntu or Debian systems show other outputs.

Do you know another cli test to check if a raspios system is truly safe against CVE-2022-32250?
Thanks in advance

[kralo]

I think your test is flawed.
Knowing nothing about unshare, but it seems you are not 'the root'. Try apt update in your "root shell", should not work.

For me:

user@pi:~ $ unshare -Unr /bin/bash
root@pi:~ # touch /boot/config.txt
touch: '/boot/config.txt' kann nicht berührt werden: Keine Berechtigung (no permission)
root@pi:~ # uname -a
Linux pi 5.15.65-v8+ #1583 SMP PREEMPT Wed Sep 7 15:43:35 BST 2022 aarch64 GNU/Linux
root@pi:~ # id
uid=0(root) gid=0(root) Gruppen=0(root),65534(nogroup)
root@pi:~ # ls -ltrh /boot/config.txt
-rwxr-xr-x  1 nobody nogroup 2,4K 21. Jul 09:58 config.txt 

[fst-net]

Dear kralo,
Yes you didn't get a real root shell, but I didn't found another test as the both I posted first.

It seems you are German speaking. It was discussed first at the heise Forum here:
https://www.heise.de/forum/heise-online/Kommentare/Fehler-in-Linux-Kernel-ermoeglicht-Rechteausweitung/Leider-ungenaue-bis-falsche-Beschreibung-der-Rahmenbedingungen-Mitigation/posting-41113548/show/

What I know is, that on some other systems the unshare "Test" didn't work anymore after the kernel was patched.

I only want to be sure that Raspios with Kernel 5.15.x is safe, because I do not find anything about this security flaw directly belonging to Raspios before.
Regards

[kralo]

Reading the link you posted, changing into the namespace is a prerequisite to trigger the bug, not the bug.
The bug is fixed in the linux-mainline kernel and the change is in the raspi-kernel, as pointed out.
Unless you are going to compile and try the POC, I wouldn't bother researching this further.
The raspi should be safe.

What I know is, that on some other systems the unshare "Test" didn't work anymore after the kernel was patched.

Did you specifically check this before and after? Because some distributions will limit kernel capabilities via settings, and thus the prerequisite to trigger the bug does disappear.

[fst-net]

I think yes that I try before and after patch, but 3 month ago, I can't swear an oath on it. ;-)

I don't want to make a POC. After pelwell's and your statement, I would trust, that the actual RaspiOS Kernel 5.15.x is safe. So my little system can go back online.
Thanks for your help.

[fst-net]

I just figured out, that my Test System (Raspi 2) was bumped by me via rpi-update to Kernel 5.15.65 in between watching incoming updates.
But my online system (Raspi 1 powered back on after 3 month) is still at Kernel 5.10.
Linux 5.10.103+ #1529 Tue Mar 8 12:19:18 GMT 2022 armv6l GNU/Linux

It seems, that the oldstable RaspiOS (Buster) get no Kernel Update to 5.15 or a newer patched 5.10 within the standard apt dist-upgrade procedure. My Raspi 1 is still at Buster and Raspi 2 within the last 3 month updated to Bullseye.

But before I reopen my question to Kernel 5.10 I will use also rpi-update to go to 5.15 line at this system too.