Bug 2213260 (CVE-2023-3390)

Summary: CVE-2023-3390 kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch requests
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, allarkin, bhu, carnil, chwhite, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, fwestpha, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, kpatch-maint, kyoshida, ldoskova, lgoncalv, lleshchi, lzampier, nmurray, pdelbell, psampaio, psutter, ptalbert, qzhao, rhandlin, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, sgrubb, sukulkar, swood, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.4-rc7 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Netfilter subsystem of the Linux kernel when processing named and anonymous sets in batch requests, which can lead to performing arbitrary reads and writes in kernel memory. This flaw allows a local user with CAP_NET_ADMIN capability to crash or potentially escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2213271, 2214035, 2214963, 2214964, 2216159, 2216160, 2216161, 2216162, 2216163, 2216164, 2216165, 2216166, 2216167, 2216169, 2216170, 2216171, 2216172, 2216173, 2216174, 2216175, 2216176, 2216177, 2216178, 2216179, 2216168, 2218699    
Bug Blocks: 2212729, 2218602, 2227022    

Description Alex 2023-06-07 16:37:17 UTC 
A flaw in the Linux Kernel found in the Netfilter nf_tables (net/netfilter/nf_tables_api.c). It can lead to use after free vulnerability in nftables when handling sets that are both named and anonymous in batch requests. Nftables allows creating a named set that can be also marked as anonymous by setting the NFT_SET_ANONYMOUS flag. When a rule referencing this malformed set is destroyed, the set gets destroyed as well, as the set is marked anonymous. It is possible to get nftables to destroy the rule, by mangling certain bytes within the rule's bytecode. As this is a named set, the set can be referenced in a different rule at which point it triggers a use after free. The caveat is that all of this needs to be performed in a batch transaction. This is because the reference of any set created in a batch transaction remains in the transactions list even after the set is destroyed.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1240eb93f0616b21c675416516ff3d74798fdc97
Comment 17 Alex 2023-06-29 21:52:22 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2218699]
Comment 19 Salvatore Bonaccorso 2023-06-30 04:09:19 UTC 
I think this is a duplicate CVE assignment for CVE-2023-3390. Can you please reject this CVE?
Comment 20 Justin M. Forbes 2023-07-03 18:00:10 UTC 
This was fixed for Fedora with the 6.3.9 stable kernel updates.
Comment 21 Alex 2023-07-06 09:08:16 UTC 
*** Bug 2218605 has been marked as a duplicate of this bug. ***
Comment 22 Alex 2023-07-06 09:25:03 UTC 
In reply to comment #19:
> I think this is a duplicate CVE assignment for CVE-2023-3390. Can you please
> reject this CVE?

Done. Closed the CVE-2023-3390. Asked https://cveform.mitre.org/ to mark CVE-2023-3390 as duplicate of the CVE-2023-3117.
Comment 24 Salvatore Bonaccorso 2023-07-08 13:44:12 UTC 
Alex, I believe it should be the other way around. CVE-2023-3390 assigned by Google LLC was published earlier than the CVE-2023-3117 assigned by Red Hat, Inc. A query to MITRE CNA seems to indicate the same, that CVE-2023-3390 should be kept and CVE-2023-3117 rejected at CNA level.
Comment 25 Salvatore Bonaccorso 2023-07-08 13:45:20 UTC 
I see that this might have been confusing by my saying "this CVE", I should have explicitly said it is CVE-2023-3117 to be rejected.
Comment 26 Alex 2023-07-09 06:47:49 UTC 
In reply to comment #24:
> Alex, I believe it should be the other way around. CVE-2023-3390 assigned by
> Google LLC was published earlier than the CVE-2023-3117 assigned by Red Hat,
> Inc. A query to MITRE CNA seems to indicate the same, that CVE-2023-3390
> should be kept and CVE-2023-3117 rejected at CNA level.

I missed this. Updated this one from CVE-2023-3117 to the CVE-2023-3390. Asked https://cveform.mitre.org/ again regarding this.
Thank you.
Comment 28 Salvatore Bonaccorso 2023-07-09 07:02:24 UTC 
(In reply to Alex from comment #26)
> In reply to comment #24:
> > Alex, I believe it should be the other way around. CVE-2023-3390 assigned by
> > Google LLC was published earlier than the CVE-2023-3117 assigned by Red Hat,
> > Inc. A query to MITRE CNA seems to indicate the same, that CVE-2023-3390
> > should be kept and CVE-2023-3117 rejected at CNA level.
> 
> I missed this. Updated this one from CVE-2023-3117 to the CVE-2023-3390.
> Asked https://cveform.mitre.org/ again regarding this.
> Thank you.

Thank you!
Comment 30 Pedro Sampaio 2023-08-07 16:04:50 UTC 
*** Bug 2227020 has been marked as a duplicate of this bug. ***