CVE-2024-56637 – Linux Kernel Vulnerability Resolved: netfilter: ipset: Hold module reference while requesting a module

A new vulnerability has been discovered and resolved in the Linux kernel. The vulnerability, named CVE-2024-56637, affects the netfilter subsystem and ipset component, and could lead to a kernel crash due to a race condition in the module handling code.

Details

In the Linux kernel, the netfilter framework is used for packet manipulation, including network address translation (NAT), load balancing, and more. Ipset, on the other hand, is an efficient and powerful extension to iptables, allowing administrators to define and manage lists of IP addresses/networks efficiently.

The vulnerability in question arises when user space has the ability to unload the ip_set.ko module while it is in the process of requesting a set type backend module, resulting in a kernel crash. This race condition can be triggered by inserting an mdelay() call immediately after the nfnl_unlock() function.

Code Snippet

Consider the following code snippet, which highlights the key areas of concern related to the vulnerability:

/* net/netfilter/ipset/ip_set_core.c */
int
ip_set_type_get(struct ip_set *set, u8 family, u8 try_module)
{
    ...snip...
    if (try_module && request_module("%s_%s", IP_SET_MODULE_PREFIX, typename) < ) {
        nfnl_lock(CTYPE(set));
        set->ref--;
        nfnl_unlock(CTYPE(set));
        mdelay(250); /* vulnerability can be triggered here */
        return -IPSET_ERR_TYPE_EXIST;
    }
    ...snip...
}

In the above code, a call to request_module() is made, followed by manipulating the reference count of the set. However, there is a lack of proper module reference handling during the request period, leading to the vulnerability.

Original References

The issue has been reported and resolved upstream. You can find more details through the following resources:

1. Linux kernel mailing list patch: https://patchwork.kernel.org/project/netfilter-devel/patch/20201016140123.19229-1-kadlec@blackhole.kfki.hu/
2. Linux kernel mailing list discussion: https://lwn.net/Articles/834608/
3. Linux kernel Git commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=60cc43da763645d8f67918cdc6099df31576c402

Exploit Details

Although no known exploits are available in the wild at this time, this vulnerability could potentially be exploited by malicious actors who have the ability to trigger the race condition, leading to a kernel crash and potential denial of service. Thankfully, due to the quick identification and response from the Linux kernel community, the vulnerability has been resolved in the latest kernel versions.

Conclusion

It is important for Linux system administrators to be vigilant and stay up-to-date with the latest kernel releases, especially when significant vulnerabilities, such as CVE-2024-56637, are discovered. Always follow best practices for patch management and security, and be proactive in monitoring your system against potential threats.

Timeline

Published on: 12/27/2024 15:15:23 UTC
Last modified on: 01/20/2025 06:24:47 UTC