The compat IPT_SO_SET_REPLACE/IP6T_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allows local users to gain privileges or cause a denial of service (heap memory corruption) via user namespace. This vulnerability is very similar to CVE-2016-3134 (CVSSv3 8.4 High) and CVE-2016-4997 (CVSSv3 7.8 High).
Compile the code below using
gcc -m32 -o poc poc.cand run it. The following panic has been observed on Linux 5.4.73 with KASAN:
I’m wondering, how does one go about properly applying a sort of patch to their system, for stuff like this?
So, what I’m reading here is “local user” that needs to be able to run gcc.
And this has been used to escape k8s in a hacking contest, so I’m reading.
I see in the top right of the page github page: “patched kernels”.
So, on a Ubuntu system, one would have to apt update and then apt upgrade the kernel, and I suppose reboot?
Ubuntu has some kind of “live kernel reload” stuff but I don’t know how that works.
I sometimes see updates like 4.6.0-132 becoming 4.6.0-134(Making number up here). I suppose that’s not good enough?