If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
a few days agoe released the news about the discovery of a vulnerability in the subsystem Netfilter (used to intercept and manipulate network packets), the vulnerability cataloged under CVE-2023-6817 Rated under a high severity score of 7.8, it represents a threat to consider, as it allows a local user to escalate their privileges on the system.
Netfilter is a crucial component that acts as a gatekeeper, managing the flow of data packets in the network stack and facilitating various operations such as modifying addresses, dropping packets, and logging activities.
It is mentioned that failure may result in a use after release condition, a dangerous scenario in which the system continues to use memory after it has been freed, which creates a condition for attackers to exploit the failure and could also lead to application crashes, information disclosure, or, in other words, even more alarming, escalation of local privileges.
Vulnerability appears starting with version 5.6 of the Linux kernel (excluding Linux 5.10.204), as well as in Linux 5.11 (excluding Linux 5.15.143), also in Linux 5.16 (excluding Linux 6.1.68), Linux 6.2 (excluding 6.6.7) and also RC1, 2, 3 and 4 of Linux 6.7 (although the latter has already been released in its stable version where the vulnerability is solved since RC5).
Regarding the problem, it is mentioned that I know it is due to a memory access after free usage in the nf_tables module, which is provided by the nftables packet filter and is due to a bug in the nft_pipapo_walk function, due to which the process of iteration over elements PIPAPO (Pile Packet Policies) does not verify the activity of an element before operating on it, lor which may cause a use-after-free vulnerability.
The nft_rhash_walk() function in other set backends also does not skip inactive elements during the set walk and as a result, the NFT_MSG_DELSETELEM command can be called twice in a transaction to remove each element in that set twice, resulting in a double release 1
If the backend is a pipapo array, nft_pipapo_walk() will be called. This function does not check the activity of an element before operating on it, like similar functions in other set backends, such as nft_rhash_walk(). Therefore, the NFT_MSG_DELSETELEM command can be called twice in a transaction to delete each element in that set twice, resulting in a double release.
In addition, it is mentioned that for the vulnerability exploitation process to be successful, The attack requires access to nftables, which can be obtained by having CAP_NET_ADMIN rights in any user namespace or network namespace, which can be provided, for example, in isolated containers. To demonstrate the vulnerability, a prototype exploit has been published for testing.
Finally, it should be mentioned that The ruling was addressed long before its disclosure, since as we mentioned, The fix for the vulnerability was proposed in the test version of the Linux kernel 6.7-rc5. and moved to the current stable Linux branches 5.10.204, 5.15.143, 6.1.68 and 6.6.7.
It is mentioned that the solution involves applying some changes to the mode of operation of the `nft_pipapo_walk` function, since to solve the bug, it must omit inactive elements during the established walks. This approach effectively prevents double disabling of PIPAPO (Pile Packet Policies) elements, thus eliminating the use-after-release condition.
Last, but not least, and as we always do, we recommend to all our dear readers to implement the relevant corrections, since although the vulnerability could hardly be exploited remotely, it never hurts to implement the corresponding corrections.
If you are interested in knowing more about it, you can check the details in the following link. As for those interested in being able to test the exploit prototype, you can consult the code of this In the following link.