Local Linux Vulnerability Exploited via NFTABles

In the Netfilter Subtilter subsystem, a vulnerability (cve-2023-6817) has been detected, potentially allowing a local user to increase their privileges in the system. This vulnerability is caused by a USE-AFTER-FREE issue in the NFTables module, which is responsible for the operation of the NFTables package filter. The vulnerability manifests itself starting from Linux kernel version 5.6.

According to the report, the vulnerability is caused by an error in the NFT_Pipapo_walk function. This error fails to check for duplicates during the process of enraging the Pipapo elements, leading to double memory release. To exploit this vulnerability, an attacker would require access to NFTables with the rights of CAP_NET_ADMIN in any user identifier or network Namespace network. This access can potentially be obtained in isolated containers.

A prototype exploit has been developed to test systems for this vulnerability. However, a fix for this vulnerability has been proposed in the test release of Linux 6.7-RC5 and has been transferred to stable branches 5.10.204, 5.5.15.143, 6.1.68, and 6.6.7.

References:

  1. Vulnerability detected
  2. CVE-2023-6817
  3. Manifestation of the vulnerability
  4. Proposal for correction
/Reports, release notes, official announcements.