Linux Kernel rtnetlink Peer Namespace Capability Check Vulnerability

A vulnerability in the Linux kernel's rtnetlink component allows unprivileged users to create network interfaces in arbitrary namespaces, including the initial network namespace. This issue arises because the rtnl_newlink() function does not properly check for the CAP_NET_ADMIN capability in the peer network namespace when creating paired devices, such as veth, vxcan, and netkit. The vulnerability can be exploited by users with a user namespace, who can manipulate network interfaces across different namespaces.

Impact

Exploitation of this vulnerability could lead to unauthorized creation of network interfaces in sensitive network namespaces, potentially disrupting network operations or bypassing network controls.

Reproduction

To reproduce this vulnerability, an unprivileged user with a user namespace can issue commands to create paired network devices using the rtnetlink interface. The absence of the CAP_NET_ADMIN check in the peer namespace allows these commands to be executed successfully, creating interfaces in arbitrary network namespaces, including the init_net.

Remediation

Users should upgrade to the patched version of the Linux kernel where this vulnerability has been addressed. The specific commit containing the fix can be found in the Linux kernel stable tree.