Bug 2213260 (CVE-2023-3390) - CVE-2023-3390 kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch requests
Summary: CVE-2023-3390 kernel: UAF in nftables when nft_set_lookup_global triggered af...
Keywords:
Status: NEW
Alias: CVE-2023-3390
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
: 2218605 2227020 (view as bug list)
Depends On: 2213271 2214035 2214963 2214964 2216159 2216160 2216161 2216162 2216163 2216164 2216165 2216166 2216167 2216168 2216169 2216170 2216171 2216172 2216173 2216174 2216175 2216176 2216177 2216178 2216179 2218699
Blocks: 2212729 2218602 2227022
TreeView+ depends on / blocked
 
Reported: 2023-06-07 16:37 UTC by Alex
Modified: 2024-10-12 08:28 UTC (History)
55 users (show)

Fixed In Version: kernel 6.4-rc7
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Netfilter subsystem of the Linux kernel when processing named and anonymous sets in batch requests, which can lead to performing arbitrary reads and writes in kernel memory. This flaw allows a local user with CAP_NET_ADMIN capability to crash or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:5149 0 None None None 2023-09-14 05:20:40 UTC
Red Hat Product Errata RHBA-2023:5162 0 None None None 2023-09-14 08:11:40 UTC
Red Hat Product Errata RHBA-2023:5301 0 None None None 2023-09-19 18:56:18 UTC
Red Hat Product Errata RHBA-2023:5328 0 None None None 2023-09-21 11:17:33 UTC
Red Hat Product Errata RHBA-2023:5329 0 None None None 2023-09-21 12:27:48 UTC
Red Hat Product Errata RHBA-2023:5338 0 None None None 2023-09-25 01:13:40 UTC
Red Hat Product Errata RHBA-2023:5355 0 None None None 2023-09-26 10:24:51 UTC
Red Hat Product Errata RHSA-2023:4789 0 None None None 2023-08-29 08:44:08 UTC
Red Hat Product Errata RHSA-2023:4888 0 None None None 2023-08-30 22:01:04 UTC
Red Hat Product Errata RHSA-2023:4961 0 None None None 2023-09-05 08:58:46 UTC
Red Hat Product Errata RHSA-2023:4962 0 None None None 2023-09-05 09:06:37 UTC
Red Hat Product Errata RHSA-2023:4967 0 None None None 2023-09-05 09:06:49 UTC
Red Hat Product Errata RHSA-2023:5069 0 None None None 2023-09-12 10:14:02 UTC
Red Hat Product Errata RHSA-2023:5091 0 None None None 2023-09-12 09:50:49 UTC
Red Hat Product Errata RHSA-2023:5093 0 None None None 2023-09-12 09:52:20 UTC
Red Hat Product Errata RHSA-2023:5221 0 None None None 2023-09-19 08:00:19 UTC
Red Hat Product Errata RHSA-2023:5235 0 None None None 2023-09-19 12:39:44 UTC
Red Hat Product Errata RHSA-2023:5238 0 None None None 2023-09-19 12:37:33 UTC
Red Hat Product Errata RHSA-2023:5244 0 None None None 2023-09-19 14:35:17 UTC
Red Hat Product Errata RHSA-2023:5255 0 None None None 2023-09-19 14:02:23 UTC
Red Hat Product Errata RHSA-2024:1250 0 None None None 2024-03-12 00:43:28 UTC
Red Hat Product Errata RHSA-2024:1253 0 None None None 2024-03-12 01:00:55 UTC
Red Hat Product Errata RHSA-2024:1268 0 None None None 2024-03-12 11:43:13 UTC
Red Hat Product Errata RHSA-2024:1269 0 None None None 2024-03-12 11:45:42 UTC
Red Hat Product Errata RHSA-2024:1278 0 None None None 2024-03-12 15:01:10 UTC
Red Hat Product Errata RHSA-2024:1306 0 None None None 2024-03-13 09:08:40 UTC

Description Alex 2023-06-07 16:37:17 UTC 
A flaw in the Linux Kernel found in the Netfilter nf_tables (net/netfilter/nf_tables_api.c). It can lead to use after free vulnerability in nftables when handling sets that are both named and anonymous in batch requests. Nftables allows creating a named set that can be also marked as anonymous by setting the NFT_SET_ANONYMOUS flag. When a rule referencing this malformed set is destroyed, the set gets destroyed as well, as the set is marked anonymous. It is possible to get nftables to destroy the rule, by mangling certain bytes within the rule's bytecode. As this is a named set, the set can be referenced in a different rule at which point it triggers a use after free. The caveat is that all of this needs to be performed in a batch transaction. This is because the reference of any set created in a batch transaction remains in the transactions list even after the set is destroyed.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1240eb93f0616b21c675416516ff3d74798fdc97
Comment 17 Alex 2023-06-29 21:52:22 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2218699]
Comment 19 Salvatore Bonaccorso 2023-06-30 04:09:19 UTC 
I think this is a duplicate CVE assignment for CVE-2023-3390. Can you please reject this CVE?
Comment 20 Justin M. Forbes 2023-07-03 18:00:10 UTC 
This was fixed for Fedora with the 6.3.9 stable kernel updates.
Comment 21 Alex 2023-07-06 09:08:16 UTC 
*** Bug 2218605 has been marked as a duplicate of this bug. ***
Comment 22 Alex 2023-07-06 09:25:03 UTC 
In reply to comment #19:
> I think this is a duplicate CVE assignment for CVE-2023-3390. Can you please
> reject this CVE?

Done. Closed the CVE-2023-3390. Asked https://cveform.mitre.org/ to mark CVE-2023-3390 as duplicate of the CVE-2023-3117.
Comment 24 Salvatore Bonaccorso 2023-07-08 13:44:12 UTC 
Alex, I believe it should be the other way around. CVE-2023-3390 assigned by Google LLC was published earlier than the CVE-2023-3117 assigned by Red Hat, Inc. A query to MITRE CNA seems to indicate the same, that CVE-2023-3390 should be kept and CVE-2023-3117 rejected at CNA level.
Comment 25 Salvatore Bonaccorso 2023-07-08 13:45:20 UTC 
I see that this might have been confusing by my saying "this CVE", I should have explicitly said it is CVE-2023-3117 to be rejected.
Comment 26 Alex 2023-07-09 06:47:49 UTC 
In reply to comment #24:
> Alex, I believe it should be the other way around. CVE-2023-3390 assigned by
> Google LLC was published earlier than the CVE-2023-3117 assigned by Red Hat,
> Inc. A query to MITRE CNA seems to indicate the same, that CVE-2023-3390
> should be kept and CVE-2023-3117 rejected at CNA level.

I missed this. Updated this one from CVE-2023-3117 to the CVE-2023-3390. Asked https://cveform.mitre.org/ again regarding this.
Thank you.
Comment 28 Salvatore Bonaccorso 2023-07-09 07:02:24 UTC 
(In reply to Alex from comment #26)
> In reply to comment #24:
> > Alex, I believe it should be the other way around. CVE-2023-3390 assigned by
> > Google LLC was published earlier than the CVE-2023-3117 assigned by Red Hat,
> > Inc. A query to MITRE CNA seems to indicate the same, that CVE-2023-3390
> > should be kept and CVE-2023-3117 rejected at CNA level.
> 
> I missed this. Updated this one from CVE-2023-3117 to the CVE-2023-3390.
> Asked https://cveform.mitre.org/ again regarding this.
> Thank you.

Thank you!
Comment 30 Pedro Sampaio 2023-08-07 16:04:50 UTC 
*** Bug 2227020 has been marked as a duplicate of this bug. ***
Comment 31 errata-xmlrpc 2023-08-29 08:44:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4789 https://access.redhat.com/errata/RHSA-2023:4789
Comment 32 errata-xmlrpc 2023-08-30 22:01:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4888 https://access.redhat.com/errata/RHSA-2023:4888
Comment 33 errata-xmlrpc 2023-09-05 08:58:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4961 https://access.redhat.com/errata/RHSA-2023:4961
Comment 34 errata-xmlrpc 2023-09-05 09:06:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4962 https://access.redhat.com/errata/RHSA-2023:4962
Comment 35 errata-xmlrpc 2023-09-05 09:06:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2023:4967 https://access.redhat.com/errata/RHSA-2023:4967
Comment 37 errata-xmlrpc 2023-09-12 09:50:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5091 https://access.redhat.com/errata/RHSA-2023:5091
Comment 38 errata-xmlrpc 2023-09-12 09:52:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5093 https://access.redhat.com/errata/RHSA-2023:5093
Comment 39 errata-xmlrpc 2023-09-12 10:13:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5069 https://access.redhat.com/errata/RHSA-2023:5069
Comment 40 errata-xmlrpc 2023-09-19 08:00:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5221 https://access.redhat.com/errata/RHSA-2023:5221
Comment 41 errata-xmlrpc 2023-09-19 12:37:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5238 https://access.redhat.com/errata/RHSA-2023:5238
Comment 42 errata-xmlrpc 2023-09-19 12:39:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5235 https://access.redhat.com/errata/RHSA-2023:5235
Comment 43 errata-xmlrpc 2023-09-19 14:02:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5255 https://access.redhat.com/errata/RHSA-2023:5255
Comment 44 errata-xmlrpc 2023-09-19 14:35:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5244 https://access.redhat.com/errata/RHSA-2023:5244
Comment 45 errata-xmlrpc 2024-03-12 00:43:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1250 https://access.redhat.com/errata/RHSA-2024:1250
Comment 46 errata-xmlrpc 2024-03-12 01:00:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1253 https://access.redhat.com/errata/RHSA-2024:1253
Comment 47 errata-xmlrpc 2024-03-12 11:43:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:1268 https://access.redhat.com/errata/RHSA-2024:1268
Comment 48 errata-xmlrpc 2024-03-12 11:45:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:1269 https://access.redhat.com/errata/RHSA-2024:1269
Comment 49 errata-xmlrpc 2024-03-12 15:01:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:1278 https://access.redhat.com/errata/RHSA-2024:1278
Comment 50 errata-xmlrpc 2024-03-13 09:08:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1306 https://access.redhat.com/errata/RHSA-2024:1306
Note You need to log in before you can comment on or make changes to this bug.