New DirtyFrag variant *Fragnesia* exploits Linux kernel XFRM ESP-in-TCP (CVE pending) for local privilege escalation via page cache corruption. Unprivileged attackers can overwrite read-only files (e.g., /usr/bin/su) to gain root without disk modification.

In brief - A logic flaw in Linux kernel's XFRM ESP-in-TCP handling enables unprivileged local attackers to corrupt page cache contents and escalate privileges. Exploits AES-GCM keystream manipulation; partial mitigations exist but patching is critical.

Technically - Fragnesia abuses skb coalescing in the XFRM ESP-in-TCP subsystem by splicing file-backed pages into a TCP receive queue before ESP processing. Attackers use CAP_NET_ADMIN (via user/network namespaces), NETLINK_XFRM to install crafted ESP SAs, and trigger in-place decryption to corrupt cached file pages. Demonstrated by overwriting /usr/bin/su with an ELF payload executing setresuid(0,0,0). AppArmor restrictions on unprivileged user namespaces may mitigate, but kernel patches are required.

Source: https://www.wiz.io/blog/fragnesia-linux-kernel-local-privilege-escalation-via-esp-in-tcp

#Cybersecurity #ThreatIntel