External risk intelligence

Linux Kernel Local Privilege Escalation Vulnerability

CVE advisoryKnown Exploit

CVE-2022-0185

A Linux kernel vulnerability allows a local user to escalate privileges by exploiting a flaw in parameter length verification within the Filesystem Context functionality. This can lead to unauthorized elevated access on a compromised system. The realistic business risk involves potential unauthorized system control and

1Halo Surface Signal

Integer Overflow

Linux Kernel

5.1 to before 5.4.1735.5 to before 5.10.935.11 to before 5.15.165.16 to before 5.16.2

External exposure likelihood

Halo Surface Signal score for CVE-2022-0185

This vulnerability exists within the Linux kernel and requires a local user to execute code on the system to trigger the flaw. It is a local privilege escalation issue that is not reachable via the network, making public internet exposure not applicable to the attack surface.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Linux kernel's Filesystem Context functionality could allow a local user to escalate privileges. The flaw resides in how the `legacy_parse_param` function handles parameter length verification. Exploiting this could grant unauthorized elevated access on a compromised system.

  • Vulnerable Linux kernel component
  • Flaw in parameter length verification
  • Local privilege escalation impact

Attack Path

How an attacker could exploit the issue

This vulnerability affects the Linux kernel's filesystem handling. An attacker can exploit a flaw in how the kernel parses parameters within certain filesystems. This allows an unprivileged local user to gain elevated privileges on the system.

  • Requires local access.
  • Attacker opens a specific filesystem.
  • Triggers privilege escalation.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a risk of privilege escalation for local users on affected systems. An attacker with initial access could exploit this flaw to gain elevated permissions, potentially leading to unauthorized system control and data compromise. Organizations should prioritize addressing this vulnerability to mitigate potential business risks.

  • Likely attacker skill level: Low
  • Required access or conditions: Local system access
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows local users with specific privileges to escalate their access on affected systems. Understanding the scope of impact is critical for maintaining system integrity and preventing unauthorized access. The business risk involves potential unauthorized system control and data compromise.

  • Identify systems running the affected Linux kernel versions or NetApp firmware.
  • Isolate or restrict access to potentially vulnerable systems.
  • Apply vendor patches, verify implementation, and monitor for anomalies.

Frequently asked questions

What is the CVE-2022-0185 vulnerability impacting the Linux kernel's Filesystem Context functionality?

CVE-2022-0185 is a heap-based buffer overflow flaw in the Linux kernel's `legacy_parse_param` function within Filesystem Context. It arises from improper verification of supplied parameters length. This could allow an unprivileged local user, or one with CAP_SYS_ADMIN in a namespaced environment, to escalate privileges on systems using filesystems that fallback to legacy handling.

What is the specific weakness class and how is it exploited in CVE-2022-0185?

The vulnerability is classified under CWE-190 (Integer Overflow or Wraparound) and CWE-191 (Integer Underflow or Wraparound). An attacker exploits this by opening a filesystem that does not support the Filesystem Context API, causing the system to use legacy handling where the flawed `legacy_parse_param` function resides. This leads to a buffer overflow, enabling privilege escalation.

What is the trigger path for CVE-2022-0185, and does it involve scope negation?

The trigger path involves a local user opening a filesystem that does not support the Filesystem Context API, forcing a fallback to legacy parameter handling. The `legacy_parse_param` function then improperly verifies parameter lengths, leading to a heap-based buffer overflow. Scope negation is not explicitly mentioned in the context, but the vulnerability allows for privilege escalation within the system.

What is the relevance of CVE-2022-0185, especially concerning the Halo Surface Signal?

CVE-2022-0185 is a local privilege escalation vulnerability in the Linux kernel. The Halo Surface Signal indicates it is 'Very unlikely' to be exposed externally because it requires local system access to exploit. The attack vector is local (AV:L), meaning it's not reachable over the network, limiting its direct public internet exposure.

What practical steps should be taken to address CVE-2022-0185?

To address CVE-2022-0185, identify all systems running affected Linux kernel versions or NetApp firmware. Apply vendor-provided patches promptly and verify their successful implementation. Monitor systems for any unusual activity or anomalies post-patching. If patches are unavailable, consider isolating or restricting access to potentially vulnerable systems.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified