EGI SVG Advisories

Advisory-SVG-CVE-2022-1015

Title:   EGI SVG 'ADVISORY' [TLP:WHITE] HIGH risk - 2 Netfilter Vulnerabilities 
         CVE-2022-1015, CVE-2022-1016  [EGI-SVG-CVE-2022-1015]

Date:    2022-08-08
Updated: 2022-09-26

Affected software and risk
==========================

HIGH risk vulnerabilities concerning Netfilter

Package    : Netfilter
CVE ID     : CVE-2022-1015, CVE-2022-1016
Bug ID     : 
CVSS Score : 6.6 (for CVE-2022-1015) [R 1] 5.5 (for CVE-2022-1016) [R 2]

2 vulnerabilities have been reported concerning the Linux kernel Netfilter, 
both which may allow privilege escalation. [R 1] [R 2].  Not all versions 
of linux are affected.

Actions required/recommended
============================


Sites should check whether they are  running a vulnerable kernel and in a vulnerable 
configuration. If they are they should either:-- 

a) install an updated version of the Linux kernel, if a patched version is available for 
the distribution they have installed.

or

b) Carry out the mitigation below, if it is not already in place.

The EGI SVG considers the mitigation is sufficient to protect sites from this vulnerability. 

It is noted that there is not yet a patch for RHEL7 and RHEL 8 (but these are only 
vulnerable to CVE-2022-1016)  or RHEL 9. 


Component installation information
==================================

Sites running RHEL should see [R 1], [R 2] (patch not available yet)

Sites running Debian should see [R 3] [R 4] 

Sites running Ubuntu should see [R 5] [R 6]

Sites running RockyLinux should see [R 7] 

Sites running Almalinux should see [R 8]

Mitigation
==========

Sites should disable  _network_ namespaces, unless they are  needed.
Note that we in general recommend to disable  _network_ namespaces unless they are explicitly 
required on the host, as this mitigates many vulnerabilities.

Note that this works for Singularity [R 10], thus allowing unprivileged user namespaces to be 
kept enabled for Singularity. 

Affected software details
=========================

According to RedHat:--

CVE-2022-1015 only affects RHEL 9.
CVE-2022-1016 affects RHEL7, RHEL 8 and RHEL 9.

Note that it is not fully clear to whether RHEL7 is affected or not. 
Red Hat simply says 'Out of support scope'. 

More information
================

EGI SVG considers this 'HIGH' risk due to the way that Worker Nodes and User Interfaces operate, 
in cases where this vulnerability is exploitable.  This is because large numbers of users are 
able to access a system. This means a local root exploit is more serious than in typical scenarios 
outside of our grid environment.

It is noted that in for RHEL7 it states out of support scope. nftables is tech preview only in 
RHEL7, which means that the risk for RHEL7 is likely to be low.  


TLP and URL
===========

** WHITE information - Unlimited distribution
 - see https://go.egi.eu/tlp for
   distribution restrictions **
   
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2022-1015
Minor updates may be made without re-distribution to the sites

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to

report-vulnerability at egi.eu

the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 99]

References
==========

[R 1] https://access.redhat.com/security/cve/CVE-2022-1015

[R 2] https://access.redhat.com/security/cve/CVE-2022-1016

[R 3] https://security-tracker.debian.org/tracker/CVE-2022-1015

[R 4] https://security-tracker.debian.org/tracker/CVE-2022-1016

[R 5] https://ubuntu.com/security/CVE-2022-1015

[R 6] https://ubuntu.com/security/CVE-2022-1016

[R 7] https://errata.rockylinux.org/ 

[R 8] https://errata.almalinux.org/ 

[R 9] https://opensciencegrid.org/docs/worker-node/install-singularity/#enabling-unprivileged-singularity

[R 99] https://documents.egi.eu/public/ShowDocument?docid=3867

Credit
======
SVG was alerted to this vulnerability by Sam Skipsey

Timeline
========

Yyyy-mm-dd  [EGI-SVG-2022-CVE-2022-1015] 

2022-03-29 SVG alerted to this issue by Sam Skipsey
2022-03-29 Acknowledgement from the EGI SVG to the reporter
2022-03--- Investigation of vulnerability and relevance to EGI carried out 
2022-04-08 After testing, unable to get exploit to work
2022-07-28 Looked again.
2022-08-02 Drafted advisory to suggest vulnerable sites patch if possible and/or take 
           mitigating action
2022-08-08 Advisory sent to sites.
2022-09-26 Advisory placed on Advisories.egi.eu

Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 99] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.

-----------------------------
This advisory is subject to the Creative commons licence 
https://creativecommons.org/licenses/by/4.0/ 
and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. 
-----------------------------


On behalf of the EGI SVG,