Bug 2220892 (CVE-2023-35001, ZDI-CAN-20721) - CVE-2023-35001 kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval()
Summary: CVE-2023-35001 kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_e...
Keywords:
Status: NEW
Alias: CVE-2023-35001, ZDI-CAN-20721
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2221046 2221047 2221717 2221718 2221719 2221720 2221721 2221722 2221723 2221724 2221725 2221726 2221727 2221729 2221730 2221731 2221732 2221733 2221734 2221735 2221736 2221737 2221744 2221745 2221746 2221747 2221748 2221749 2221750 2221751 2221752 2221753 2221754 2221755 2221756 2221759
Blocks: 2220897
TreeView+ depends on / blocked
 
Reported: 2023-07-06 13:01 UTC by TEJ RATHI
Modified: 2024-10-12 08:28 UTC (History)
51 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds (OOB) memory access flaw was found in the Netfilter module in the Linux kernel's nft_byteorder_eval in net/netfilter/nft_byteorder.c. A bound check failure allows a local attacker with CAP_NET_ADMIN access to cause a local privilege escalation issue due to incorrect data alignment.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:5149 0 None None None 2023-09-14 05:20:43 UTC
Red Hat Product Errata RHBA-2023:5162 0 None None None 2023-09-14 08:11:45 UTC
Red Hat Product Errata RHBA-2023:5301 0 None None None 2023-09-19 18:56:19 UTC
Red Hat Product Errata RHBA-2023:5328 0 None None None 2023-09-21 11:17:37 UTC
Red Hat Product Errata RHBA-2023:5329 0 None None None 2023-09-21 12:27:52 UTC
Red Hat Product Errata RHBA-2023:5338 0 None None None 2023-09-25 01:13:43 UTC
Red Hat Product Errata RHBA-2023:5355 0 None None None 2023-09-26 10:24:52 UTC
Red Hat Product Errata RHBA-2023:5778 0 None None None 2023-10-17 09:25:33 UTC
Red Hat Product Errata RHSA-2023:4961 0 None None None 2023-09-05 08:58:54 UTC
Red Hat Product Errata RHSA-2023:4962 0 None None None 2023-09-05 09:06:44 UTC
Red Hat Product Errata RHSA-2023:4967 0 None None None 2023-09-05 09:06:53 UTC
Red Hat Product Errata RHSA-2023:5069 0 None None None 2023-09-12 10:14:14 UTC
Red Hat Product Errata RHSA-2023:5091 0 None None None 2023-09-12 09:50:50 UTC
Red Hat Product Errata RHSA-2023:5093 0 None None None 2023-09-12 09:52:22 UTC
Red Hat Product Errata RHSA-2023:5221 0 None None None 2023-09-19 08:00:21 UTC
Red Hat Product Errata RHSA-2023:5235 0 None None None 2023-09-19 12:39:44 UTC
Red Hat Product Errata RHSA-2023:5238 0 None None None 2023-09-19 12:37:34 UTC
Red Hat Product Errata RHSA-2023:5244 0 None None None 2023-09-19 14:35:22 UTC
Red Hat Product Errata RHSA-2023:5255 0 None None None 2023-09-19 14:02:28 UTC
Red Hat Product Errata RHSA-2023:5414 0 None None None 2023-10-03 07:14:03 UTC
Red Hat Product Errata RHSA-2023:5548 0 None None None 2023-10-10 09:40:48 UTC
Red Hat Product Errata RHSA-2023:5574 0 None None None 2023-10-10 10:24:42 UTC
Red Hat Product Errata RHSA-2023:5575 0 None None None 2023-10-10 10:13:36 UTC
Red Hat Product Errata RHSA-2023:5603 0 None None None 2023-10-10 15:25:12 UTC
Red Hat Product Errata RHSA-2023:5604 0 None None None 2023-10-10 15:33:15 UTC
Red Hat Product Errata RHSA-2023:5621 0 None None None 2023-10-10 15:50:14 UTC
Red Hat Product Errata RHSA-2023:5622 0 None None None 2023-10-10 16:14:19 UTC
Red Hat Product Errata RHSA-2023:5627 0 None None None 2023-10-10 16:26:24 UTC
Red Hat Product Errata RHSA-2023:7243 0 None None None 2023-11-15 17:41:59 UTC
Red Hat Product Errata RHSA-2024:1268 0 None None None 2024-03-12 11:43:15 UTC
Red Hat Product Errata RHSA-2024:1269 0 None None None 2024-03-12 11:45:43 UTC
Red Hat Product Errata RHSA-2024:1278 0 None None None 2024-03-12 15:01:01 UTC

Description TEJ RATHI 2023-07-06 13:01:31 UTC
Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace

https://lore.kernel.org/netfilter-devel/20230705121515.747251-1-cascardo@canonical.com/T/
https://www.openwall.com/lists/oss-security/2023/07/05/3

Comment 9 Rohit Keshri 2023-07-10 17:01:39 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2221759]

Comment 16 errata-xmlrpc 2023-09-05 08:58:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4961 https://access.redhat.com/errata/RHSA-2023:4961

Comment 17 errata-xmlrpc 2023-09-05 09:06:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4962 https://access.redhat.com/errata/RHSA-2023:4962

Comment 18 errata-xmlrpc 2023-09-05 09:06:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2023:4967 https://access.redhat.com/errata/RHSA-2023:4967

Comment 19 errata-xmlrpc 2023-09-12 09:50:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5091 https://access.redhat.com/errata/RHSA-2023:5091

Comment 20 errata-xmlrpc 2023-09-12 09:52:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5093 https://access.redhat.com/errata/RHSA-2023:5093

Comment 21 errata-xmlrpc 2023-09-12 10:14:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5069 https://access.redhat.com/errata/RHSA-2023:5069

Comment 22 errata-xmlrpc 2023-09-19 08:00:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5221 https://access.redhat.com/errata/RHSA-2023:5221

Comment 23 errata-xmlrpc 2023-09-19 12:37:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5238 https://access.redhat.com/errata/RHSA-2023:5238

Comment 24 errata-xmlrpc 2023-09-19 12:39:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5235 https://access.redhat.com/errata/RHSA-2023:5235

Comment 25 errata-xmlrpc 2023-09-19 14:02:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5255 https://access.redhat.com/errata/RHSA-2023:5255

Comment 26 errata-xmlrpc 2023-09-19 14:35:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5244 https://access.redhat.com/errata/RHSA-2023:5244

Comment 27 errata-xmlrpc 2023-10-03 07:13:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support

Via RHSA-2023:5414 https://access.redhat.com/errata/RHSA-2023:5414

Comment 28 errata-xmlrpc 2023-10-10 09:40:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5548 https://access.redhat.com/errata/RHSA-2023:5548

Comment 29 errata-xmlrpc 2023-10-10 10:13:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5575 https://access.redhat.com/errata/RHSA-2023:5575

Comment 30 errata-xmlrpc 2023-10-10 10:24:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:5574 https://access.redhat.com/errata/RHSA-2023:5574

Comment 31 errata-xmlrpc 2023-10-10 15:25:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5603 https://access.redhat.com/errata/RHSA-2023:5603

Comment 32 errata-xmlrpc 2023-10-10 15:33:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5604 https://access.redhat.com/errata/RHSA-2023:5604

Comment 33 errata-xmlrpc 2023-10-10 15:50:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:5621 https://access.redhat.com/errata/RHSA-2023:5621

Comment 34 errata-xmlrpc 2023-10-10 16:14:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:5622 https://access.redhat.com/errata/RHSA-2023:5622

Comment 35 errata-xmlrpc 2023-10-10 16:26:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5627 https://access.redhat.com/errata/RHSA-2023:5627

Comment 37 errata-xmlrpc 2023-11-15 17:41:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2023:7243 https://access.redhat.com/errata/RHSA-2023:7243

Comment 38 errata-xmlrpc 2024-03-12 11:43:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:1268 https://access.redhat.com/errata/RHSA-2024:1268

Comment 39 errata-xmlrpc 2024-03-12 11:45:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:1269 https://access.redhat.com/errata/RHSA-2024:1269

Comment 40 errata-xmlrpc 2024-03-12 15:00:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:1278 https://access.redhat.com/errata/RHSA-2024:1278


Note You need to log in before you can comment on or make changes to this bug.