In early 2024, a significant vulnerability was discovered and patched in the Linux kernel's networking component—netfilter. Identified as CVE-2024-27017, this flaw could have serious implications for both desktop and server environments running affected Linux versions.
If you use Linux firewall rules, containers, or network namespaces, understanding this bug is important. Below, we break down the vulnerability in simple terms, show recent exploit details, explain the patch, and provide relevant resources.
What Is CVE-2024-27017?
CVE-2024-27017 is a bug found in the netfilter networking subsystem of the Linux kernel, specifically in how it manages "set" data structures via the nft_set_pipapo backend.
Quick Summary
- When a user queries or manages firewall rule sets using netlink (a kernel interface), the kernel could accidentally leak or use inconsistent data about those sets if someone else was changing the rules at the same time.
- This confusion stems from how the kernel walked over the internal set data structure while a "generation mask" could be changed in parallel.
Leaks of firewall rules to unauthorized users
- Unpredictable system/network behavior
Here’s a simplified, commented snippet inspired by the vulnerable logic
// Pseudo C code representing the walk logic
static int nft_set_walk_dump(struct sk_buff *skb, const struct nft_set *set) {
u32 genmask = get_current_genmask();
// This is the risky part: genmask could change after it's read,
// leading to a broken view of the ruleset during walk.
for (i = ; i < set->size; i++) {
if (set->elements[i].genmask & genmask) {
// dump this rule entry to netlink
}
}
return ;
}
If the genmask changes in the middle of this operation—say, because another process updates firewall sets—the dump might read corrupted or mismatched data.
Here's a simple outline of an attack or misbehavior exploiting this flaw
1. Attacker initiates a frequent or crafted nftables ruleset update (via nft command or netlink programming).
Race condition triggers: While the kernel is dumping old data, the genmask changes.
4. Outcome: The dumped data can be inconsistent, possibly leaking information or even causing a kernel oops/panic or misconfiguration.
Script A (dump rules)
while true; do
nft list set inet filter my_set
done
Script B (update rules)
while true; do
nft add element inet filter my_set { 1.2.3.4 }
nft delete element inet filter my_set { 1.2.3.4 }
done
Over time, these could trigger inconsistent reads because of the race in the backend.
The Patch (How It Was Fixed)
Patch Author: Florian Westphal
Key Fix
- The patch introduces *explicit notation* so the iterator (walk code) *knows* if it should read or update, and doesn't trust the genmask anymore while dumping via netlink.
- The walk iterator now uses the user-requested view, ensuring it doesn't accidentally mix data from different generations.
Patched Example
static int nft_set_walk_dump(struct sk_buff *skb, const struct nft_set *set, bool is_read) {
// Instead of relying on genmask, explicitly check context
if (is_read) {
// Use a stable snapshot or mark set as read-only for this operation
} else {
// Update path
}
// Safe iteration over set
return ;
}
This change ensures the dump always reflects a consistent, expected state, even if updates happen simultaneously.
References & More Reading
- Original Patch: Commit df299f674949 ("netfilter: nft_set_pipapo: walk over current view on netlink dump")
- CVE entry: CVE-2024-27017 at NVD
- Upstream Kernel Mailing List Discussion: LKML thread
- Netfilter Project: https://netfilter.org/
- Linux nftables Man Pages: man7.org: nft(8)
What Should I Do?
- Check Your Kernel: If you use nftables/netfilter, see if your kernel version has the patch for CVE-2024-27017.
Final Words
Flaws like CVE-2024-27017 are easy to overlook but can have serious security impacts. The race condition is subtle, but as shown, real-world scripting might trigger it, potentially causing information leaks or system instability. Make sure you’re up to date—especially if you rely on Linux's network filtering features!
Questions or want to learn more about kernel bugs? Check the official Linux security mailing lists or open a discussion below.
Timeline
Published on: 05/01/2024 06:15:20 UTC
Last modified on: 08/02/2024 00:21:05 UTC