External risk intelligence

Linux Kernel Privilege Escalation via Cgroups v1 Release Agent

CVE advisoryKnown Exploit

CVE-2022-0492

A vulnerability in the Linux kernel's cgroup v1 release_agent feature allows privilege escalation and bypass of namespace isolation. This requires local, authenticated access and could lead to unauthorized system access if reachable.

1Halo Surface Signal

Authentication Bypass

Netapp H300s Firmware

2.6.24 to before 4.9.3014.10 to before 4.14.2664.15 to before 4.19.2294.20 to before 5.4.1775.5 to before 5.10.975.11 to before 5.15.205.16 to before 5.16.65.179.010.011.08.0;...

External exposure likelihood

Halo Surface Signal score for CVE-2022-0492

This vulnerability resides within the local Linux kernel specifically related to cgroup v1 functionality. Exploitation requires local, authenticated access to the system, making it inherently not public-internet-facing or reachable via network services in common deployment patterns.

PCI scan relevance

PCI Relevance for CVE-2022-0492

Yes

CVE-2022-0492 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This Linux kernel vulnerability allows privilege escalation by exploiting the cgroups v1 release_agent feature. This could impact systems processing cardholder data.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in the Linux kernel that could allow privilege escalation. This flaw impacts systems using the cgroups v1 release_agent feature, potentially enabling unauthorized access to elevated permissions. The primary concern is confirming its relevance and exposure within your environment.

  • Allows local users to gain higher privileges.
  • Critical for systems using specific Linux kernel features.
  • Confirm relevance and exposure in your environment.

Attack Path

How an attacker could exploit the issue

An attacker with initial local access to a system could exploit a flaw in the Linux kernel's cgroup v1 release_agent feature. This could allow them to escalate privileges and escape namespace isolation.

  • Requires local, authenticated access.
  • Triggered by abusing cgroup v1 release_agent.
  • Risk of privilege escalation and isolation bypass.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, this vulnerability in the Linux kernel could allow an attacker with local access to escalate privileges by bypassing namespace isolation through the cgroups v1 release_agent feature.

  • System privilege escalation.
  • Local authenticated access required.
  • Unauthorized system access.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts Linux kernel versions that utilize cgroups v1's release_agent feature. Identifying all instances of this kernel version and assessing their exposure is the crucial first step. Subsequently, confirming business criticality and then coordinating with the relevant teams to plan remediation based on risk will be essential.

  • System owners should lead remediation efforts.
  • Verify systems using cgroups v1 release_agent.
  • Plan remediation based on exposure and criticality.

Frequently asked questions

What is the primary function affected by the Linux kernel vulnerability CVE-2022-0492 and how does it enable privilege escalation?

CVE-2022-0492 affects the `cgroup_release_agent_write` function within the Linux kernel's cgroups v1 implementation. Under specific conditions, this vulnerability allows an attacker with local access to exploit the cgroups v1 `release_agent` feature to escalate privileges and bypass namespace isolation. This means a user with limited permissions could gain administrative control over the system.

What weakness class does CVE-2022-0492 represent, and what is required for exploitation?

This vulnerability is classified under weakness classes CWE-287 (Improper Authentication) and CWE-862 (Kernel: Missing for API); exploitation requires local, authenticated access to the affected system.

What is the trigger path for CVE-2022-0492, and does it involve scope negation?

The trigger path involves the `cgroup_release_agent_write` function in the Linux kernel. Exploitation can occur when the cgroups v1 `release_agent` feature is used, potentially allowing an attacker to escalate privileges and unexpectedly bypass namespace isolation. The vulnerability's nature inherently involves bypassing isolation, which could be considered a form of scope negation in the context of privilege escalation.

How does CISA classify the threat posed by CVE-2022-0492, and what is its current status?

The Cybersecurity and Infrastructure Security Agency (CISA) has listed CVE-2022-0492 on its Known Exploited Vulnerabilities (KEV) catalog. This indicates that the vulnerability has been actively exploited in the wild, necessitating urgent attention and mitigation.

What steps should be taken to respond to CVE-2022-0492 in a Linux environment?

To address CVE-2022-0492, administrators should identify all affected Linux kernel versions utilizing the cgroups v1 `release_agent` feature. This involves assessing the system's exposure and subsequently applying vendor-provided mitigations or patches. For cloud services, following applicable guidance from BOD 22-01 is recommended. If mitigations are unavailable, discontinuing the use of the affected product may be necessary.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified