CVE-2020-36694 - Netfilter Use-After-Free Vulnerability in the Linux Kernel Before 5.10

A security issue was discovered in the netfilter component of the Linux kernel versions prior to 5.10. The issue, tracked as CVE-2020-36694, could lead to a use-after-free vulnerability in the packet processing context due to improper handling of the per-CPU sequence count during concurrent iptables rules replacement. An attacker with CAP_NET_ADMIN capability in an unprivileged namespace could potentially exploit this vulnerability.

It is important to note that commit cc00bca, which attempted to address this vulnerability, was reverted in version 5.12 of the Linux kernel.

Code Snippet

The affected code resides in the netfilter component, specifically in the sequence of handling per-CPU sequence count during iptables rules replacement.

A simplified code snippet demonstrating the issue

/* net/netfilter/xt_replace.c */
static int
xt_replace_table(struct net *net, struct xt_table *new_table, 
                 unsigned int num_counters,
                 void __user *counters_ptr)
{
        // ...

        write_seqcount_begin(&table->relcpu_seq); // Write lock acquired

        // Concurrent updates are not properly protected
        list_replace_init(&table->rules, &new_table->rules);

        write_seqcount_end(&table->relcpu_seq); // Write lock released

        // ...
}

The write lock is acquired and released, but concurrent updates to the table are not effectively protected between these lock operations.

Original References

1. Linux Kernel git commit cc00bca
2. Linux Kernel git commit 46209da - Reverting cc00bca
3. Netfilter project homepage

Exploit Details

An attacker with CAP_NET_ADMIN capability in an unprivileged namespace could potentially exploit the use-after-free vulnerability in the packet processing context of the netfilter component. The vulnerability is due to improper handling of the per-CPU sequence count during concurrent iptables rules replacement.

To successfully exploit this vulnerability, the attacker would need to perform the following steps

1. Obtain CAP_NET_ADMIN capability in an unprivileged namespace on a target system running a vulnerable version of the Linux kernel.
2. Trigger concurrent updates of iptables rules, creating a race condition in which the use-after-free vulnerability could be triggered.
3. Leverage the use-after-free vulnerability to execute arbitrary code, compromise the target system, or cause a denial-of-service (DoS) condition.

Mitigation

To mitigate this vulnerability, users should update their Linux kernel to version 5.10 or later where the issue has been addressed. Additionally, users should follow the principle of least privilege and ensure that unprivileged namespaces have the minimum required capabilities to reduce the attack surface.

Conclusion

CVE-2020-36694 is a critical vulnerability in the netfilter component of the Linux kernel that could allow an attacker to execute arbitrary code or compromise the target system. It is crucial for users to update their kernel to a patched version and follow best security practices to reduce the chances of successful exploitation.

Timeline

Published on: 05/21/2023 23:15:00 UTC
Last modified on: 05/26/2023 03:35:00 UTC