Title: EGI SVG 'ADVISORY' [TLP:WHITE] HIGH risk - 2 Netfilter Vulnerabilities
CVE-2022-1015, CVE-2022-1016 [EGI-SVG-CVE-2022-1015]
Date: 2022-08-08
Updated: 2022-09-26
Affected software and risk
==========================
HIGH risk vulnerabilities concerning Netfilter
Package : Netfilter
CVE ID : CVE-2022-1015, CVE-2022-1016
Bug ID :
CVSS Score : 6.6 (for CVE-2022-1015) [R 1] 5.5 (for CVE-2022-1016) [R 2]
2 vulnerabilities have been reported concerning the Linux kernel Netfilter,
both which may allow privilege escalation. [R 1] [R 2]. Not all versions
of linux are affected.
Actions required/recommended
============================
Sites should check whether they are running a vulnerable kernel and in a vulnerable
configuration. If they are they should either:--
a) install an updated version of the Linux kernel, if a patched version is available for
the distribution they have installed.
or
b) Carry out the mitigation below, if it is not already in place.
The EGI SVG considers the mitigation is sufficient to protect sites from this vulnerability.
It is noted that there is not yet a patch for RHEL7 and RHEL 8 (but these are only
vulnerable to CVE-2022-1016) or RHEL 9.
Component installation information
==================================
Sites running RHEL should see [R 1], [R 2] (patch not available yet)
Sites running Debian should see [R 3] [R 4]
Sites running Ubuntu should see [R 5] [R 6]
Sites running RockyLinux should see [R 7]
Sites running Almalinux should see [R 8]
Mitigation
==========
Sites should disable _network_ namespaces, unless they are needed.
Note that we in general recommend to disable _network_ namespaces unless they are explicitly
required on the host, as this mitigates many vulnerabilities.
Note that this works for Singularity [R 10], thus allowing unprivileged user namespaces to be
kept enabled for Singularity.
Affected software details
=========================
According to RedHat:--
CVE-2022-1015 only affects RHEL 9.
CVE-2022-1016 affects RHEL7, RHEL 8 and RHEL 9.
Note that it is not fully clear to whether RHEL7 is affected or not.
Red Hat simply says 'Out of support scope'.
More information
================
EGI SVG considers this 'HIGH' risk due to the way that Worker Nodes and User Interfaces operate,
in cases where this vulnerability is exploitable. This is because large numbers of users are
able to access a system. This means a local root exploit is more serious than in typical scenarios
outside of our grid environment.
It is noted that in for RHEL7 it states out of support scope. nftables is tech preview only in
RHEL7, which means that the risk for RHEL7 is likely to be low.
TLP and URL
===========
** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for
distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2022-1015
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 99]
References
==========
[R 1] https://access.redhat.com/security/cve/CVE-2022-1015
[R 2] https://access.redhat.com/security/cve/CVE-2022-1016
[R 3] https://security-tracker.debian.org/tracker/CVE-2022-1015
[R 4] https://security-tracker.debian.org/tracker/CVE-2022-1016
[R 5] https://ubuntu.com/security/CVE-2022-1015
[R 6] https://ubuntu.com/security/CVE-2022-1016
[R 7] https://errata.rockylinux.org/
[R 8] https://errata.almalinux.org/
[R 9] https://opensciencegrid.org/docs/worker-node/install-singularity/#enabling-unprivileged-singularity
[R 99] https://documents.egi.eu/public/ShowDocument?docid=3867
Credit
======
SVG was alerted to this vulnerability by Sam Skipsey
Timeline
========
Yyyy-mm-dd [EGI-SVG-2022-CVE-2022-1015]
2022-03-29 SVG alerted to this issue by Sam Skipsey
2022-03-29 Acknowledgement from the EGI SVG to the reporter
2022-03--- Investigation of vulnerability and relevance to EGI carried out
2022-04-08 After testing, unable to get exploit to work
2022-07-28 Looked again.
2022-08-02 Drafted advisory to suggest vulnerable sites patch if possible and/or take
mitigating action
2022-08-08 Advisory sent to sites.
2022-09-26 Advisory placed on Advisories.egi.eu
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 99] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
-----------------------------
This advisory is subject to the Creative commons licence
https://creativecommons.org/licenses/by/4.0/
and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited.
-----------------------------
On behalf of the EGI SVG,