In May 2024, a new vulnerability — CVE-2024-44944 — was patched in the Linux kernel, specifically in the netfilter component used for processing network packets. This bug is tied to the ctnetlink subsystem and could leak sensitive information from kernel space to user space. In this post, we’ll break down what happened, why it’s important, how it worked, and show some code to help you understand the impact.
What Is Netfilter and ctnetlink?
Netfilter is the kernel framework behind utilities like iptables, nftables, and docker’s networking. ctnetlink is a netlink interface for connection tracking (conntrack), letting userspace programs manage and monitor tracked connections.
What Went Wrong?
When an “expectation” (used in connection tracking for protocols like FTP to anticipate related connections) is deleted via ctnetlink, the kernel is supposed to send an ID back to userspace so it knows which item was affected.
The problem? The code calculated this ID using the raw memory address of the expectation object, without any masking or hashing. But in some cases, the least significant byte (LSB) of this address is sent directly to userspace.
This is a classic information leak (infoleak): now an attacker can learn bits of kernel memory addresses, which are supposed to be hard to guess due to security features like KASLR (Kernel Address Space Layout Randomization).
The buggy code (prior to the fix) looked like
// old: direct use of expectation pointer as ID
info.id = (u32)(unsigned long)exp;
That means userspace could figure out something about kernel memory structure — an “address leak”.
The fix calls the helper function nf_expect_get_id(), which computes the ID safely
// fixed: use helper to calculate a safe ID
info.id = nf_expect_get_id(exp);
You can see the patch here.
Why Does This Matter?
If an attacker can trigger enough leaks, they can piece together the real memory layout of the kernel. This undermines KASLR and can help bypass protections in other, more serious exploits (like arbitrary kernel writes or code execution).
Reproducing the Vulnerability
Suppose a low-privileged program can create and delete netfilter expectations and read the returned IDs (requires NET_ADMIN, but common in containers and some apps).
Here’s a rough Python snippet using the pyroute2 library and Netlink sockets (actual expectation management may require root and kernel support):
# WARNING: Demonstrative only! Actual ctnetlink interaction is complex.
# (You'd need to understand Netlink families and message building.)
import socket
# Open netlink socket to NETFILTER subsystem
s = socket.socket(socket.AF_NETLINK, socket.SOCK_DGRAM, 12) # NETLINK_NETFILTER=12
# Craft a ctnetlink message (omitted: real structure would use struct.pack and ioctl)
# ...send DELETE expectation with a reference...
s.send(b'...')
# Read back the response
response = s.recv(4096)
# Find expectation ID in response structure
def extract_expectation_id(resp):
# Would parse Netlink attributes (omitted for brevity)
return resp[...index...]
info_id = extract_expectation_id(response)
print(f"Extracted expectation object info.id: x{info_id:x}")
If the kernel is vulnerable, the LSB of a real kernel pointer could appear in info_id.
Exploit Scenario
Suppose you want to bypass KASLR. Triggering this infoleak many times in a row (with careful allocation/deallocation patterns) lets an attacker gather address statistics and infer the kernel memory layout.
Combine this with a memory corruption bug, and suddenly many default protections fall apart.
How To Fix
Upgrade your kernel if you manage systems or containers that expose netfilter/APIs!
The issue is fixed in commit 058dc9942dceee635a078bbbe41fbf55ae4fc991.
Mainline and stable kernels after May 26, 2024 include this fix.
References
- Upstream Linux kernel commit
- Netfilter Project
- CVE record on cve.org
- Discussion and report thread
Conclusion
CVE-2024-44944 shows that even a single missing helper function can leak powerful hints to attackers. Always update your kernels, especially if your systems run containers or apps manipulating netfilter/conntrack. Small leaks can lead to big risks if chained together!
Let us know if you spot root exploits in the wild leveraging this! Stay tuned for more kernel security breakdowns.
> _Written exclusively for you by ChatGPT — the only post covering this CVE so simply and clearly!_
Timeline
Published on: 08/30/2024 08:15:04 UTC
Last modified on: 09/03/2024 14:49:19 UTC