GHSA-34VW-M4RH-R36P

Vulnerability from github – Published: 2022-09-16 17:17 – Updated: 2022-09-16 17:17
VLAI
Summary
Talos vulnerable dependency due to race condition in Linux kernel's IP framework XFRM
Details

Impact

A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.

Patches

The fix has been backported to 5.15.64 version of the upstream Linux kernel (5.15 is the upstream Kernel long term version Talos ships with). Talos >= v1.2.0 is shipped with Linux Kernel 5.15.64 fixing the above issue.

Kubernetes workloads running in Talos are not affected since user namespaces are disabled in Talos kernel config. So an unprivileged user cannot obtain CAP_NET_ADMIN by unsharing. However untrusted workloads that run with privileged: true or having NET_ADMIN capability poses a risk.

Workarounds

Audit kubernetes workloads running in the cluster with privileged: true set or having NET_ADMIN capability and assess the threat vector.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-3028
  • https://access.redhat.com/security/cve/CVE-2022-3028

For more information

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/talos-systems/talos"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T17:17:37Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nA race condition was found in the Linux kernel\u0027s IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.\n\n### Patches\nThe fix has been backported to [5.15.64](https://www.linuxkernelcves.com/cves/CVE-2022-3028) version of the upstream Linux kernel (5.15 is the upstream Kernel long term version Talos ships with). Talos \u003e= v1.2.0 is shipped with Linux Kernel 5.15.64 fixing the above issue.\n\nKubernetes workloads running in Talos are not affected since user namespaces are disabled in Talos kernel config. So an unprivileged user cannot obtain CAP_NET_ADMIN by unsharing. However untrusted workloads that run with privileged: true or having NET_ADMIN capability poses a risk.\n\n### Workarounds\nAudit kubernetes workloads running in the cluster with privileged: true set or having NET_ADMIN capability and assess the threat vector.\n\n### References\n- https://nvd.nist.gov/vuln/detail/CVE-2022-3028\n- https://access.redhat.com/security/cve/CVE-2022-3028\n\n### For more information\n- Email us at [security@siderolabs.com](mailto:security@siderolabs.com)\n",
  "id": "GHSA-34vw-m4rh-r36p",
  "modified": "2022-09-16T17:17:37Z",
  "published": "2022-09-16T17:17:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siderolabs/talos/security/advisories/GHSA-34vw-m4rh-r36p"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siderolabs/talos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Talos vulnerable dependency due to race condition in Linux kernel\u0027s IP framework XFRM"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…