CVE-2022-1353 Overview
A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information. The vulnerability stems from improper memory initialization when composing SADB (Security Association Database) supported messages.
Critical Impact
Local unprivileged users can exploit this vulnerability to access sensitive kernel memory contents or cause system denial of service through kernel crashes.
Affected Products
- Linux Kernel (versions prior to the security patch, including 5.17 release candidates rc1-rc8)
- Debian Linux 9.0, 10.0, and 11.0
- Red Hat Enterprise Linux 8.0
- NetApp H-Series firmware (H300S, H500S, H700S, H410S, H300E, H500E, H700E, H410C)
Discovery Timeline
- April 29, 2022 - CVE-2022-1353 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-1353
Vulnerability Analysis
This vulnerability is classified as an Information Disclosure flaw (CWE-200) residing in the Linux kernel's PF_KEY socket implementation. The pfkey_register function, located in net/key/af_key.c, is responsible for registering security associations used by IPsec. When this function calls compose_sadb_supported() to build a response message, the allocated memory is not properly zero-initialized before use.
The lack of proper memory initialization means that the kernel may inadvertently include residual data from previously allocated memory in the SADB supported message structure. This uninitialized memory can contain sensitive kernel information that gets exposed to unprivileged local users who interact with the PF_KEY socket interface.
Root Cause
The root cause of this vulnerability is the missing __GFP_ZERO flag when allocating memory through the compose_sadb_supported() function. Without this flag, the GFP_KERNEL allocation does not guarantee zeroed memory, leaving potentially sensitive kernel data in the allocated buffer. This data can then be leaked to userspace through the SADB protocol message response.
Attack Vector
The vulnerability requires local access to the system. An unprivileged local user can exploit this flaw by:
- Opening a PF_KEY socket (which requires CAP_NET_ADMIN in some configurations, but not all)
- Sending a SADB_REGISTER message to the kernel
- Receiving the composed SADB_SUPPORTED response containing uninitialized memory
- Extracting leaked kernel memory information from the response
The attack can lead to information disclosure of kernel memory contents or potentially trigger a system crash depending on the memory state.
xfrm_probe_algs();
- supp_skb = compose_sadb_supported(hdr, GFP_KERNEL);
+ supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO);
if (!supp_skb) {
if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC)
pfk->registered &= ~(1<<hdr->sadb_msg_satype);
Source: GitHub Linux Commit 9a564b
Detection Methods for CVE-2022-1353
Indicators of Compromise
- Unusual PF_KEY socket activity from unprivileged user processes
- Unexpected SADB_REGISTER message calls in system logs
- Processes attempting to access IPsec key management interfaces without legitimate purpose
- Kernel oops or crash logs referencing pfkey_register or af_key.c
Detection Strategies
- Monitor for processes opening PF_KEY sockets that are not part of legitimate IPsec or VPN configurations
- Implement audit rules to track socket creation with protocol family PF_KEY (family 15)
- Use kernel tracing tools to monitor calls to pfkey_register function
- Deploy endpoint detection solutions that can identify anomalous kernel interface interactions
Monitoring Recommendations
- Enable kernel audit logging for socket system calls with the PF_KEY protocol family
- Configure SentinelOne agents to monitor for suspicious local privilege escalation patterns
- Implement real-time monitoring of kernel crash events and correlate with user activity
- Review system logs for repeated failed or unusual SADB protocol interactions
How to Mitigate CVE-2022-1353
Immediate Actions Required
- Update the Linux kernel to a patched version that includes commit 9a564bccb78a76740ea9d75a259942df8143d02c
- Apply vendor-specific security patches from Debian, Red Hat, or NetApp as applicable
- Restrict access to PF_KEY sockets by ensuring proper CAP_NET_ADMIN capability requirements
- Consider disabling unused kernel modules related to IPsec if not required
Patch Information
The official fix has been merged into the Linux kernel via commit 9a564bccb78a76740ea9d75a259942df8143d02c. The patch adds the __GFP_ZERO flag to the memory allocation in compose_sadb_supported(), ensuring that the allocated buffer is zero-initialized before use.
Vendor-specific patches are available:
- Debian Security Advisory DSA-5127
- Debian Security Advisory DSA-5173
- Red Hat Bug Report #2066819
- NetApp Security Advisory ntap-20220629-0001
Workarounds
- Restrict PF_KEY socket access through SELinux or AppArmor policies to limit exposure
- Use network namespaces to isolate processes that require IPsec functionality
- Implement strict user access controls to limit local user capabilities
- Monitor and audit all IPsec-related kernel interactions until patching is complete
# Configuration example
# Audit PF_KEY socket operations
auditctl -a always,exit -F arch=b64 -S socket -F a0=15 -k pfkey_monitor
# Verify kernel version includes the security fix
uname -r
# Check if the patched kernel is installed
# Review loaded IPsec-related kernel modules
lsmod | grep -E "af_key|xfrm"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
