New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

Three New Linux Kernel Vulnerabilities Discovered

An anonymous security researcher has reported three new vulnerabilities to the maintainers of the Linux kernel. The vulnerabilities may result in arbitrary code execution in the  that a threat actor has local access to a system.

The first vulnerability (CVE-2022-41850) is a race condition that is present in the human interface device (HID) driver for Roccat devices known as a use-after-free vulnerability. This vulnerability would allow local attacker to execute arbitrary code on the victim host.

The second vulnerability (CVE-2022-41848) is also a use-after-free type race condition that exists in the HID driver for SyncLink PC Card serial adapter devices. This would allow a local attacker to execute arbitrary code by removing a PCMCIA device while calling ioctl.

The final vulnerability (CVE-2022-41849) like the others is a use-after-free race condition as well. The HID driver involved in this vulnerability is used to run SMSC UFX USB devices. In this instance, the vulnerability can be exploited by physically removing a USB device while calling the linux open() function, once again allowing arbitrary code execution.

Analyst Notes

All three vulnerabilities exist in the Linux kernel version 5.19.12 and have been fixed at the kernel maintainers. However, mainstream distros have not yet implemented the patched kernel in their upstream repositories. At the time of writing Ubuntu, Debian, and Red Hat have not yet released the patched kernel. Systems administrators should ensure that their Linux-based hosts are on a frequent update cycle so that the vulnerability will be resolved when their respective upstream releases the patch. Until then, it is recommended to pay close attention to users that have physical access to vulnerable hosts, and limit access as much as possible.

CVE-2022-41850: Linux kernel code execution vulnerability