Bug 2196105 (CVE-2023-32233) - CVE-2023-32233 kernel: netfilter: use-after-free in nf_tables when processing batch requests can lead to privilege escalation
Summary: CVE-2023-32233 kernel: netfilter: use-after-free in nf_tables when processing...
Keywords:
Status: NEW
Alias: CVE-2023-32233
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2196131 2196132 2196133 2196134 2196135 2196136 2196137 2196138 2196139 2196140 2196141 2196142 2196143 2196144 2196145 2196146 2196147 2196148 2196149 2196150 2196151 2196152 2196153 2196154 2196155 2196156 2196157 2196158 2196159 2196160 2196587 2196588 2196589 2196590 2196591 2196592 2196593 2196594 2196595
Blocks: 2193200
TreeView+ depends on / blocked
 
Reported: 2023-05-08 05:00 UTC by Rohit Keshri
Modified: 2024-05-23 23:54 UTC (History)
72 users (show)

Fixed In Version: kernel 6.4-rc1
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the Netfilter subsystem of the Linux kernel when processing batch requests to update nf_tables configuration. This vulnerability can be abused to perform arbitrary reads and writes in kernel memory. A local user (with CAP_NET_ADMIN capability) could use this flaw to crash the system or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 7012508 0 None None None 2023-05-11 06:17:20 UTC
Red Hat Product Errata RHBA-2023:5778 0 None None None 2023-10-17 09:25:33 UTC
Red Hat Product Errata RHSA-2023:3349 0 None None None 2023-05-30 15:01:42 UTC
Red Hat Product Errata RHSA-2023:3350 0 None None None 2023-05-30 15:02:08 UTC
Red Hat Product Errata RHSA-2023:3351 0 None None None 2023-05-30 15:01:56 UTC
Red Hat Product Errata RHSA-2023:3465 0 None None None 2023-06-06 08:46:45 UTC
Red Hat Product Errata RHSA-2023:3470 0 None None None 2023-06-06 08:45:52 UTC
Red Hat Product Errata RHSA-2023:3490 0 None None None 2023-06-06 13:37:37 UTC
Red Hat Product Errata RHSA-2023:3705 0 None None None 2023-06-21 08:45:55 UTC
Red Hat Product Errata RHSA-2023:3708 0 None None None 2023-06-21 14:38:48 UTC
Red Hat Product Errata RHSA-2023:3723 0 None None None 2023-06-21 14:39:23 UTC
Red Hat Product Errata RHSA-2023:3852 0 None None None 2023-06-27 14:04:43 UTC
Red Hat Product Errata RHSA-2023:3853 0 None None None 2023-06-27 14:04:29 UTC
Red Hat Product Errata RHSA-2023:4125 0 None None None 2023-07-18 07:44:56 UTC
Red Hat Product Errata RHSA-2023:4126 0 None None None 2023-07-18 07:45:17 UTC
Red Hat Product Errata RHSA-2023:4130 0 None None None 2023-07-18 08:19:43 UTC
Red Hat Product Errata RHSA-2023:4145 0 None None None 2023-07-18 08:18:59 UTC
Red Hat Product Errata RHSA-2023:4146 0 None None None 2023-07-18 08:21:29 UTC
Red Hat Product Errata RHSA-2023:4255 0 None None None 2023-07-25 07:53:05 UTC
Red Hat Product Errata RHSA-2023:4256 0 None None None 2023-07-25 07:52:58 UTC
Red Hat Product Errata RHSA-2023:4262 0 None None None 2023-07-25 07:52:02 UTC
Red Hat Product Errata RHSA-2023:4696 0 None None None 2023-08-22 13:54:15 UTC
Red Hat Product Errata RHSA-2023:4699 0 None None None 2023-08-22 13:51:46 UTC
Red Hat Product Errata RHSA-2023:5419 0 None None None 2023-10-03 13:15:34 UTC
Red Hat Product Errata RHSA-2023:5574 0 None None None 2023-10-10 10:24:42 UTC
Red Hat Product Errata RHSA-2023:5621 0 None None None 2023-10-10 15:50:13 UTC
Red Hat Product Errata RHSA-2023:5622 0 None None None 2023-10-10 16:14:20 UTC

Description Rohit Keshri 2023-05-08 05:00:08 UTC
Use-After-Free in Netfilter nf_tables (net/netfilter/nf_tables_api.c)
can be abused by unprivileged local users to execute arbitrary Kernel
code.

The issue has been reproduced on:
* the current kernel build `5.19.0-41-generic` (x86_64) on
  Ubuntu 22.10, and
* the current mainline v6.3 (commit
  457391b0380335d5e9a5babdec90ac53928b23b4).

Comment 7 admin-team 2023-05-09 12:52:06 UTC
Reference: https://seclists.org/oss-sec/2023/q2/133

The issue says "[it] can be abused by unprivileged local users to escalate privileges" but aren't "unprivileged user namespaces" required to achieve this?

A regular unprivileged local user cannot execute any "nft" commands. If we disable "unprivileged user namespaces" on the system, then this vulnerability cannot be exploited, right?

Comment 9 Rohit Keshri 2023-05-10 12:02:27 UTC
In reply to comment #7:
> Reference: https://seclists.org/oss-sec/2023/q2/133
> 
> The issue says "[it] can be abused by unprivileged local users to escalate
> privileges" but aren't "unprivileged user namespaces" required to achieve
> this?
> 
> A regular unprivileged local user cannot execute any "nft" commands. If we
> disable "unprivileged user namespaces" on the system, then this
> vulnerability cannot be exploited, right?

Hello Team, likely right, but better to disable overall the affected module if possible by blacklisting it.
~~~
How do I blacklist a kernel module to prevent it from loading automatically?
https://access.redhat.com/solutions/41278 
~~~

Comment 11 Fanky W 2023-05-11 20:29:06 UTC
(In reply to Rohit Keshri from comment #9)
> In reply to comment #7:
> > Reference: https://seclists.org/oss-sec/2023/q2/133
> > 
> > The issue says "[it] can be abused by unprivileged local users to escalate
> > privileges" but aren't "unprivileged user namespaces" required to achieve
> > this?
> > 
> > A regular unprivileged local user cannot execute any "nft" commands. If we
> > disable "unprivileged user namespaces" on the system, then this
> > vulnerability cannot be exploited, right?
> 
> Hello Team, likely right, but better to disable overall the affected module
> if possible by blacklisting it.
> ~~~
> How do I blacklist a kernel module to prevent it from loading automatically?
> https://access.redhat.com/solutions/41278 
> ~~~

Can you clarify which module you are talking about? And rationale? 
Seems ambiguity here may lead to improper functioning of firewall

Comment 12 Steven 2023-05-12 08:53:16 UTC
Hi all,
I also do not understand what you mean by "disabling kernel module".
If I disable "nf_tables", I will loose the ability to use firewall rules (as far as I understand)?


From my opinion, this vulnerability only affects machines that have "max_user_namespaces" enabled (set to a greater value than zero (0) ):
"The maximum number of user namespaces that any user in the current user namespace may create."
Source: https://docs.kernel.org/admin-guide/sysctl/user.html#max-user-namespaces


On el7 (CentOS, RHEL) the setting is set to 0 by default:
[root@rhel7-test ~]# cat /proc/sys/user/max_user_namespaces 
0


On el8 (CentOS, Alma, RHEL) the setting is set to 7094 by default:
[root@rhel8-test ~]# cat /proc/sys/user/max_user_namespaces 
7094


The mitigation attempt, provided by ubuntu.com, does not work under el7 machines:
[root@rhel7-test ~]# sysctl -w kernel.unprivileged_userns_clone=0
sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory

Source: https://ubuntu.com/security/CVE-2023-32233


It seems to me that the relation to user namespace cloning does not exist in el7:
[root@rhel7-test ~]# cat /proc/sys/kernel/userns_restrict
cat: /proc/sys/kernel/userns_restrict: No such file or directory


Could someone please clarify what we have actually have to do here?
Are my assumptions right or did I mentioned wrong things here?


Cheers,
Steven

Comment 13 James Moore 2023-05-12 09:47:03 UTC
Hi folks,

Given disabling user namespaces *seems* to be the sensible mitigation where the nf_tables kernel module cannot be blacklisted the following link may be of use: https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-12-03/finding/V-230548

I have verified the above steps do function on a RHEL 8 machine.

Note: if containers are in use or user namespaces are essential for another reason, this mitigation is contraindicated. I highly advise testing on each type of application server in use to validate this does not cause problems prior to rolling out widely.

Cheers,
James.

Comment 14 Rohit Keshri 2023-05-14 12:00:51 UTC
Hello Team,

In order to mitigate this issue it is possible to prevent the affected code from being loaded by blacklisting the kernel module nf_tables.

but it disables firewall. If cannot disable firewall, then use mitigation 2 instead (with namespaces).

Comment 22 Fanky W 2023-05-17 08:31:16 UTC
Thanks, do we have visibility on when fixes can be backported? 
Also, does it affect rootless container?

Comment 24 boboshaq 2023-05-19 11:52:54 UTC
Hi,
When I set user.max_user_namespaces = 0 on my laptop:) witch Oracle Linux Server release 9.2, upower.service crashes: (code=exited, status=217/USER). Then I don't see status of load my battery and I don't have prompts to connect my charger when power is low. Computer is switching off in unexpected moment. 
When I set user.max_user_namespaces >= 1 service works as expected. 
Regards!

Comment 26 Tess 2023-05-23 11:16:20 UTC
(In reply to Steven from comment #12)

> Could someone please clarify what we have actually have to do here?
> Are my assumptions right or did I mentioned wrong things here?

As James Moore indicates in comment 13, you're applying the wrong mitigations.

You are applying Ubuntu/Debian mitigations to RedHat.

The RedHat STIG outlines the needed changes, which involves a different sysctl flag.

Comment 27 Youssef Ghorbal 2023-05-25 19:05:14 UTC
Hi, is there any available forecast on when fixes will be issued? The mitigation of disabling userns is not an option for us.
Are we talking days or weeks?

Thank you!

Youssef

Comment 28 Rohit Keshri 2023-05-30 14:33:26 UTC
Hello than you for reaching to us, yes I agree.

We have accelerated this already, few of the fixes are already in phases or complete, rest are in the pipeline.

Regarding rootless containers:

A rootless container is just a container run in a separate user namespace, if the user in that user namespace has sufficient privileges (looks like CAP_NET_ADMIN), then I think they would be able to exploit the issue as well.

Comment 29 errata-xmlrpc 2023-05-30 15:01:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3349 https://access.redhat.com/errata/RHSA-2023:3349

Comment 30 errata-xmlrpc 2023-05-30 15:01:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3351 https://access.redhat.com/errata/RHSA-2023:3351

Comment 31 errata-xmlrpc 2023-05-30 15:02:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3350 https://access.redhat.com/errata/RHSA-2023:3350

Comment 32 Youssef Ghorbal 2023-06-01 12:24:56 UTC
Hello, thank you for the update !
Is there a plan to release an errata for 8.6 EUS ?

Youssef

Comment 33 reerror 2023-06-02 03:12:13 UTC
What is el7's resolution schedule?

Comment 34 errata-xmlrpc 2023-06-06 08:45:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:3470 https://access.redhat.com/errata/RHSA-2023:3470

Comment 35 errata-xmlrpc 2023-06-06 08:46:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:3465 https://access.redhat.com/errata/RHSA-2023:3465

Comment 36 Rylee Humphrey 2023-06-06 09:38:27 UTC
(SPAM link was here, deleted comment)

Comment 37 errata-xmlrpc 2023-06-06 13:37:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:3490 https://access.redhat.com/errata/RHSA-2023:3490

Comment 39 errata-xmlrpc 2023-06-21 08:45:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:3705 https://access.redhat.com/errata/RHSA-2023:3705

Comment 40 errata-xmlrpc 2023-06-21 14:38:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:3708 https://access.redhat.com/errata/RHSA-2023:3708

Comment 41 errata-xmlrpc 2023-06-21 14:39:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:3723 https://access.redhat.com/errata/RHSA-2023:3723

Comment 42 Bill Glick 2023-06-26 14:52:32 UTC
What is the status on this for RHEL 7 & RHEL 8.6 EUS?

We've opened support tickets with Red Hat about this where they point us to this Bugzilla issue which gives no indication of timing or priority for this update from Red Hat.

We've been waiting for this 'Important' security update almost 2 months. That does not seem to match the priorities that Red Hat has published about supported OS 'Important' security updates.

Comment 43 errata-xmlrpc 2023-06-27 14:04:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:3853 https://access.redhat.com/errata/RHSA-2023:3853

Comment 44 errata-xmlrpc 2023-06-27 14:04:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:3852 https://access.redhat.com/errata/RHSA-2023:3852

Comment 51 errata-xmlrpc 2023-07-18 07:44:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:4125 https://access.redhat.com/errata/RHSA-2023:4125

Comment 52 errata-xmlrpc 2023-07-18 07:45:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:4126 https://access.redhat.com/errata/RHSA-2023:4126

Comment 53 errata-xmlrpc 2023-07-18 08:18:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4145 https://access.redhat.com/errata/RHSA-2023:4145

Comment 54 errata-xmlrpc 2023-07-18 08:19:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4130 https://access.redhat.com/errata/RHSA-2023:4130

Comment 55 errata-xmlrpc 2023-07-18 08:21:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2023:4146 https://access.redhat.com/errata/RHSA-2023:4146

Comment 57 errata-xmlrpc 2023-07-25 07:51:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2023:4262 https://access.redhat.com/errata/RHSA-2023:4262

Comment 58 errata-xmlrpc 2023-07-25 07:52:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4255 https://access.redhat.com/errata/RHSA-2023:4255

Comment 59 errata-xmlrpc 2023-07-25 07:52:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4256 https://access.redhat.com/errata/RHSA-2023:4256

Comment 60 errata-xmlrpc 2023-08-22 13:51:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2023:4699 https://access.redhat.com/errata/RHSA-2023:4699

Comment 61 errata-xmlrpc 2023-08-22 13:54:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support

Via RHSA-2023:4696 https://access.redhat.com/errata/RHSA-2023:4696

Comment 62 errata-xmlrpc 2023-10-03 13:15:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2023:5419 https://access.redhat.com/errata/RHSA-2023:5419

Comment 63 errata-xmlrpc 2023-10-10 10:24:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:5574 https://access.redhat.com/errata/RHSA-2023:5574

Comment 64 errata-xmlrpc 2023-10-10 15:50:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:5621 https://access.redhat.com/errata/RHSA-2023:5621

Comment 65 errata-xmlrpc 2023-10-10 16:14:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:5622 https://access.redhat.com/errata/RHSA-2023:5622


Note You need to log in before you can comment on or make changes to this bug.