Multiple Netfilter Vulnerabilities Found in the Linux Kernel
In the year 2023, a total of 233 vulnerabilities have been found in the Linux kernel, with an average Common Vulnerability and Exposure (CVE) base score of 6.5 out of 10. Numerous security vulnerabilities, ranging in severity from medium to high, have been discovered within the Netfilter subsystem of the Linux kernel. The Linux kernel has become susceptible to these Netfilter vulnerabilities, with the potential to cause local privilege escalation or even system crashes.
The severity of these vulnerabilities has been assessed by the National Vulnerability Database (NVD) as “high,” indicating their capacity to inflict significant harm. It is imperative to promptly address these vulnerabilities in order to mitigate potential risks effectively.
In this blog post, we will look at some high-severity vulnerabilities discovered in the Linux kernel’s netfilter subsystem.
High-Severity Netfilter Vulnerabilities
A vulnerability has been identified in the Linux kernel’s netfilter component known as nf_tables, which can potentially be exploited for local privilege escalation. This vulnerability arises from a race condition occurring between nf_tables’ netlink control plane transaction and the garbage collection process of nft_set elements. As a result of this race condition, it becomes feasible to trigger an underflow of the reference counter, consequently leading to a use-after-free vulnerability.
A use-after-free vulnerability within the Linux kernel’s netfilter component, specifically nf_tables, has the potential to be leveraged for local privilege escalation. This vulnerability becomes apparent during the flushing of table rules in the nf_tables_delrule() function, where it fails to validate whether the chain is bound. Furthermore, under specific circumstances, the chain’s owner rule can also release objects, compounding the issue.
There exists a use-after-free vulnerability within the Linux kernel’s netfilter component, specifically within nf_tables, which can be manipulated to achieve local privilege escalation. This vulnerability manifests in scenarios where an error occurs during the construction of a nftables rule. When such an error occurs, the deactivation of immediate expressions in the function nft_immediate_deactivate() may result in the unintended unbinding of the chain, leading to deactivated objects that are subsequently utilized.
A use-after-free vulnerability has been identified in the Linux kernel’s Netfilter feature when adding a rule with NFTA_RULE_CHAIN_ID. An attacker can use this vulnerability to either crash the system or escalate their privileges.
A use-after-free vulnerability has been detected within the Linux kernel’s netfilter component, specifically in nf_tables, which can be leveraged to attain local privilege escalation. This vulnerability is rooted in the error-handling mechanism of bound chains, leading to a use-after-free situation in the abort path of NFT_MSG_NEWRULE. It’s important to note that triggering this vulnerability necessitates having CAP_NET_ADMIN privileges.
A use-after-free vulnerability has been identified within the Linux kernel’s netfilter subsystem, specifically in the file net/netfilter/nf_tables_api.c. This vulnerability arises from improper error handling associated with NFT_MSG_NEWRULE, permitting the exploitation of a dangling pointer within the same transaction, resulting in a use-after-free situation. This flaw can be exploited by a local attacker with user-level access, potentially leading to a privilege escalation issue.
Live Patching to Mitigate Netfilter Vulnerabilities
It’s of paramount importance to address Netfilter vulnerabilities in order to safeguard your system against potential Denial of Service (DoS) attacks and the leakage of sensitive information. A viable solution that streamlines the process of automated patch deployment is KernelCare Enterprise. This tool enables you to apply security patches without necessitating system restarts or causing any disruptions to ongoing operations. Moreover, these patches can be deployed promptly as soon as they become available.
KernelCare Enterprise provides support for live patching across a wide range of popular enterprise Linux distributions, including Debian, RHEL, Ubuntu, CentOS, AlmaLinux, CloudLinux, and more.
For a comprehensive understanding of how live patching works, you can also schedule a conversation with our experts.
The sources for this article include a story from NIST.