[CVE-2023-32233] Linux kernel use-after-free in Netfilter nf_tables when processing batch requests could be abused to carry out arbitrary reads and writes in kernel reminiscence
2023-05-09 15:02:15
oss-sec
oss-sec
mailing record archives
From: Piotr Krysiuk <piotras () gmail com>
Date: Mon, 8 Might 2023 16:58:20 +0100
A problem has been found within the Linux kernel that may be abused by unprivileged native customers to escalate privileges. The difficulty is about Netfilter nf_tables accepting some invalid updates to its configuration. Netfilter nf_tables permits updating its configuration with batch requests that group a number of primary operations into atomic transactions. In a selected situation, an invalid batch request might comprise an operation that implicitly deletes an current nft nameless set adopted by one other operation that makes an attempt to behave on the identical nft nameless set after it's deleted. Within the above situation, one instance of the previous operation is to delete an current nft rule that makes use of an nft nameless set. And an instance of the latter operation is an try to delete a component from that nft nameless set after the set will get deleted. Alternatively, the latter operation might even try to explicitly delete that nft nameless set once more. Within the mentioned situation, Netfilter nf_tables fails to reject invalid batch request and then it corrupts its personal inside state when committing the latter operation. The difficulty has been reproduced in opposition to a number of Linux kernel releases, together with Linux 6.3.1 (present secure). We developed an exploit that permits unprivileged native customers to start out a root shell by abusing the above concern. That exploit was shared privately with <safety () kernel org> to help with repair growth. Someone from the Linux kernel group then emailed the proposed repair to <linux-distros () vs openwall org> and that e-mail additionally included a hyperlink to obtain our description of exploitation strategies and our exploit supply code. Due to this fact, based on the linux-distros record coverage, the exploit should be revealed inside 7 days from this advisory. As a way to adjust to that coverage, I intend to publish each the outline of exploitation strategies and in addition the exploit supply code on Monday fifteenth by e-mail to this record. The repair is accessible from mainline kernel git repository: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=c1592a89942e9678f7d9c8030efa777c0d57edab # Discoverers Patryk Sondej <patryk.sondej () gmail com> Piotr Krysiuk <piotras () gmail com> # References CVE-2023-32233 (reserved through https://cveform.mitre.org/)
Present thread:
- [CVE-2023-32233] Linux kernel use-after-free in Netfilter nf_tables when processing batch requests could be abused to carry out arbitrary reads and writes in kernel reminiscence Piotr Krysiuk (Might 08)
What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0