Bug 2225198 (CVE-2023-3610) - CVE-2023-3610 kernel: netfilter: nf_tables: fix chain binding transaction logic in the abort path of NFT_MSG_NEWRULE
Summary: CVE-2023-3610 kernel: netfilter: nf_tables: fix chain binding transaction log...
Keywords:
Status: NEW
Alias: CVE-2023-3610
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2213271 2214035 2216159 2216166 2225199 2225200 2225457 2225458 2225459 2225460 2225461 2225462 2225464 2225465
Blocks: 2225183
TreeView+ depends on / blocked
 
Reported: 2023-07-24 14:23 UTC by Alex
Modified: 2023-10-10 19:40 UTC (History)
50 users (show)

Fixed In Version: Kernel 6.4~13
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the netfilter: nf_tables component in the Linux kernel due to a missing error handling in the abort path of NFT_MSG_NEWRULE. This flaw allows a local attacker with CAP_NET_ADMIN access capability to cause a local privilege escalation problem.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:5162 0 None None None 2023-09-14 08:11:48 UTC
Red Hat Product Errata RHSA-2023:5069 0 None None None 2023-09-12 10:14:22 UTC
Red Hat Product Errata RHSA-2023:5091 0 None None None 2023-09-12 09:50:57 UTC
Red Hat Product Errata RHSA-2023:5093 0 None None None 2023-09-12 09:52:23 UTC

Description Alex 2023-07-24 14:23:07 UTC 
A flaw in the Linux Kernel found. A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=4bedf9eee016286c835e3d8fa981ddece5338795
Comment 7 Phil Sutter 2023-07-26 17:31:49 UTC 
I just noticed (actually, CKI KWF Bot did) that I had backported the proposed
fix on behalf of CVE-2023-3390[1] already, or at least for
the RHEL9.3 clone[2]. But since this CVE-2023-3610 does not apply to RHEL8 and
there are also 9.2.0.z[3] and 9.0.0.z[4] clones for CVE-2023-3390, the same
merge request may at least be reused.

I am a bit at a loss though how to deal with the ticket(s) created for this
CVE. Close as duplicate? Mark as TestOnly and depend on the respective other
ones?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=2213260
[2] https://bugzilla.redhat.com/show_bug.cgi?id=2213271
[3] https://bugzilla.redhat.com/show_bug.cgi?id=2216160
[4] https://bugzilla.redhat.com/show_bug.cgi?id=2216159
Comment 8 Alex 2023-07-30 12:50:21 UTC 
In reply to comment #7:
> I just noticed (actually, CKI KWF Bot did) that I had backported the proposed
> fix on behalf of CVE-2023-3390[1] already, or at least for
> the RHEL9.3 clone[2]. But since this CVE-2023-3610 does not apply to RHEL8
> and
> there are also 9.2.0.z[3] and 9.0.0.z[4] clones for CVE-2023-3390, the same
> merge request may at least be reused.
> 
> I am a bit at a loss though how to deal with the ticket(s) created for this
> CVE. Close as duplicate? Mark as TestOnly and depend on the respective other
> ones?
> 
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2213260
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=2213271
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=2216160
> [4] https://bugzilla.redhat.com/show_bug.cgi?id=2216159

Yes, let's close bugzilla trackers as duplicate.
The status for CVE page should be correct then I think.
The TestOnly I think should be Ok too.
Comment 9 errata-xmlrpc 2023-09-12 09:50:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5091 https://access.redhat.com/errata/RHSA-2023:5091
Comment 10 errata-xmlrpc 2023-09-12 09:52:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5093 https://access.redhat.com/errata/RHSA-2023:5093
Comment 11 errata-xmlrpc 2023-09-12 10:14:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5069 https://access.redhat.com/errata/RHSA-2023:5069
Note You need to log in before you can comment on or make changes to this bug.