When you're firewall is the vulnerability, it's probably not good. Posting for awareness.
https://nvd.nist.gov/vuln/detail/CVE-2022-25636
John
My heart almost skipped a beat until I read this in the CVE description:
"... Linux kernel 5.4 through 5.6.10 allows local users to gain privileges ..."
So, not likely to affect any of my busiest systems (because of the kernel version range), and not remotely exploitable in any case.
Still, good to know. Will watch for kernel upgrade packages.
Thanks for sharing!
Gilbert
On 2022-03-16 8:47 a.m., John Lange wrote:
Sorry about the incorrect subject line and causing unnecessary panic. It is *NOT* remotely exploitable. I read "netfilter" and my brain automatically went to remote vulnerability since protecting against remote threats is what firewalls do.
John
On Wed, Mar 16, 2022 at 9:50 AM Glen Ditchfield GJDitchfield@acm.org wrote:
As far as I can tell/recall, the numbers are not assigned sequentially (thankfully, to your point).
Here: https://cve.mitre.org/cve/identifiers/syntaxchange.html they're called arbitrary, and here: https://cve.mitre.org/cve/identifiers/tech-guidance.html under "Considerations for Output Format" and "Sorting", they say "CVE IDs are not allocated sequentially based on the disclosure date".
I believe that CNAs (CVE Numbering Authorities) are allocated blocks by the CNA or other authority above them in the hierarchy, so CVE-2022-25XXX would be allocated to a specific CNA, and they would hand out numbers as needed (or assign to vulnerabilities within their own products). Though, in this case, that was handed out by Mitre Corp., which is a top-level CNA.
That assignment process I don't have a source for, though, so I may be wrong. Here's a bit of explanation on the hierarchy though: https://www.cve.org/ProgramOrganization/Structure
David Dyck david@ddyck.ca
-----Original Message----- From: Roundtable roundtable-bounces@muug.ca On Behalf Of Glen Ditchfield Sent: March 16, 2022 9:49 AM To: roundtable@muug.ca Subject: Re: [RndTbl] Remotely exploitable netfilter
On Wednesday, March 16, 2022 8:47:48 A.M. CDT John Lange wrote:
I suppose CVE numbers are given out sequentially? And we're at 25,636, in mid-March? Seems like it was only yesterday when they had to expand the CVE ID format beyond 4 digits...
_______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable