Linux secure networking security bug found and fixed
1 min read
Apr 04, 2022
An obnoxious security bug discovered in Linux's IPSec secure networking program has now been fixed.
Nothing is quite as vexing as a security hole in a security program. Xiaochen Zou, a graduate student at the University of California, Riverside, went looking for bugs in Linux and found a whopper. This vulnerability, CVE-2022-27666, in IPSec's esp6 (Encapsulating Security Payload) crypto module can be abused for local privilege escalation.
The problem is your basic heap overflow hole. Xiaochen explained that "the basic logic of this vulnerability is that the receiving buffer of a user message in esp6 module is an 8-page buffer, but the sender can send a message larger than 8 pages, which clearly creates a buffer overflow." Yes, yes it will.
Related Articles
1 - 0 min read
Hacked VMs Reveal New Attack Risks
1 - 0 min read
Growth in Open Source Use Among Businesses Analyzed
1 - 0 min read
SPDX 3.0 Revolutionizes Software Management & Security
