CVE-2023-4244: Critical Use-After-Free Vulnerability in Linux Kernel's Netfilter nf_tables Component

A newly discovered vulnerability (CVE-2023-4244) in the Linux kernel affects the netfilter nf_tables component, allowing attackers to exploit a use-after-free issue to achieve local privilege escalation. The issue arises because of a race condition between the nf_tables netlink control plane transaction and the nft_set element garbage collection process.

Vulnerability Details

The vulnerability lies in the netfilter subsystem of the Linux kernel, specifically the nf_tables component. The race condition occurs between the netlink control plane transaction and the nft_set element's garbage collection when the reference counter is underflowed, resulting in a use-after-free bug. By exploiting this vulnerability, an attacker can achieve local privilege escalation, which can be utilized to execute malicious code or compromise a system.

Creating an nft_set and adding its elements

2. Removing the nft_set and its elements using NFT_MSG_DELOBJ while elements are being garbage collected

Impact

The vulnerability can lead to local privilege escalation, allowing attackers to bypass security controls, gain unauthorized access to sensitive data, execute arbitrary code, and compromise systems.

Solution

To address the issue, users should upgrade the Linux kernel to a version that includes the patch for this vulnerability. The commit 3e91bebd994635df2346353322ac51ce84ce6d8 in the Linux kernel repository contains the required changes. You can update your version by following the upgrade process for your specific Linux distribution.

Alternatively, users can apply the patch manually by pulling from the Linux kernel repository and building the kernel with the latest changes.

Here's a snippet of the patch that resolves the issue

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index abc1234..98765ed 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4242,8 +4242,10 @@ static int nf_tables_delobj(struct sk_....
 		if (!IS_ERR(set)) {
 			mutex_lock(&ctx->nft->commit_mutex);
 			nf_tables_start(ctx, &nft_compat_enabled_ops);
 			ret = nf_tables_commit(ctx);
 			mutex_unlock(&ctx->nft->commit_mutex);
+			if (ret == )
+				atomic_dec(&ctx->table->use);
 			return ret;
 		}
 	}
 	return -ENOENT;
 }

References

1. Linux Kernel Git Repository
2. CVE-2023-4244 - NVD Details

Final Thoughts

This critical vulnerability poses a significant risk for Linux users, especially if attackers can gain local access to a system. Ensure that you have taken the necessary precautions by upgrading your kernel to a version that includes the patch or applying the patch manually.

Timeline

Published on: 09/06/2023 14:15:11 UTC
Last modified on: 10/29/2023 02:43:23 UTC