[Bug 1959173] [NEW] Vulnerability in af_packet handling

Khaled El Mously 1959173 at bugs.launchpad.net
Thu Jan 27 06:28:00 UTC 2022 

Public bug reported:

CVE-2021-22600

A vulnerability, which was classified as critical, was found in Linux
Kernel. Affected is the function packet_set_ring of the file
net/packet/af_packet.c. The manipulation with an unknown input leads to
a memory corruption vulnerability. This is going to have an impact on
confidentiality, integrity, and availability.

The weakness was released 01/26/2022. The advisory is shared for
download at git.kernel.org. This vulnerability is traded as
CVE-2021-22600 since 01/05/2021. The exploitability is told to be easy.
It is possible to launch the attack remotely. A authentication is
required for exploitation. There are known technical details, but no
exploit is available. The current price for an exploit might be approx.
USD $5k-$25k (estimation calculated on 01/26/2022).

Applying a patch is able to eliminate this problem. The fix is
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=ec6af094ea28f0f2dda1a6a33b14cd57e36a9755

More information at:
https://partnerissuetracker.corp.google.com/issues/215427453

** Affects: linux-gke (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: linux-gke (Ubuntu Focal)
     Importance: Undecided
         Status: New

** Also affects: linux-gke (Ubuntu)
   Importance: Undecided
       Status: New

** No longer affects: klibc (Ubuntu)

** Also affects: linux-gke (Ubuntu Focal)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to klibc in Ubuntu.
https://bugs.launchpad.net/bugs/1959173

Title:
  Vulnerability in af_packet handling

Status in linux-gke package in Ubuntu:
  New
Status in linux-gke source package in Focal:
  New

Bug description:
  CVE-2021-22600

  A vulnerability, which was classified as critical, was found in Linux
  Kernel. Affected is the function packet_set_ring of the file
  net/packet/af_packet.c. The manipulation with an unknown input leads
  to a memory corruption vulnerability. This is going to have an impact
  on confidentiality, integrity, and availability.

  The weakness was released 01/26/2022. The advisory is shared for
  download at git.kernel.org. This vulnerability is traded as
  CVE-2021-22600 since 01/05/2021. The exploitability is told to be
  easy. It is possible to launch the attack remotely. A authentication
  is required for exploitation. There are known technical details, but
  no exploit is available. The current price for an exploit might be
  approx. USD $5k-$25k (estimation calculated on 01/26/2022).

  Applying a patch is able to eliminate this problem. The fix is
  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=ec6af094ea28f0f2dda1a6a33b14cd57e36a9755

  More information at:
  https://partnerissuetracker.corp.google.com/issues/215427453

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-gke/+bug/1959173/+subscriptions

More information about the foundations-bugs mailing list