Bug 2255139 (CVE-2023-6817) - CVE-2023-6817 kernel: inactive elements in nft_pipapo_walk
Summary: CVE-2023-6817 kernel: inactive elements in nft_pipapo_walk
Keywords:
Status: NEW
Alias: CVE-2023-6817
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2255140
Blocks: 2255138
TreeView+ depends on / blocked
 
Reported: 2023-12-18 20:20 UTC by Robb Gatica
Modified: 2024-05-28 14:07 UTC (History)
47 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Netfilter subsystem in the Linux kernel via the nft_pipapo_walk function. This issue may allow a local user with CAP_NET_ADMIN capability to trigger an application crash, information disclosure, or local privilege escalation.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:1336 0 None None None 2024-03-14 15:40:56 UTC
Red Hat Product Errata RHBA-2024:1379 0 None None None 2024-03-19 15:00:58 UTC
Red Hat Product Errata RHBA-2024:1796 0 None None None 2024-04-11 21:12:11 UTC
Red Hat Product Errata RHBA-2024:2065 0 None None None 2024-04-25 14:55:19 UTC
Red Hat Product Errata RHSA-2024:0724 0 None None None 2024-02-07 16:31:15 UTC
Red Hat Product Errata RHSA-2024:0881 0 None None None 2024-02-20 12:29:05 UTC
Red Hat Product Errata RHSA-2024:0897 0 None None None 2024-02-20 12:33:48 UTC
Red Hat Product Errata RHSA-2024:1018 0 None None None 2024-02-28 12:41:49 UTC
Red Hat Product Errata RHSA-2024:1019 0 None None None 2024-02-28 12:34:25 UTC
Red Hat Product Errata RHSA-2024:1248 0 None None None 2024-03-12 00:46:55 UTC
Red Hat Product Errata RHSA-2024:1268 0 None None None 2024-03-12 11:44:04 UTC
Red Hat Product Errata RHSA-2024:1269 0 None None None 2024-03-12 11:45:15 UTC
Red Hat Product Errata RHSA-2024:1367 0 None None None 2024-03-19 00:23:08 UTC
Red Hat Product Errata RHSA-2024:1382 0 None None None 2024-03-19 15:07:56 UTC
Red Hat Product Errata RHSA-2024:1404 0 None None None 2024-03-19 17:27:50 UTC
Red Hat Product Errata RHSA-2024:3414 0 None None None 2024-05-28 14:05:13 UTC
Red Hat Product Errata RHSA-2024:3421 0 None None None 2024-05-28 14:07:13 UTC

Description Robb Gatica 2023-12-18 20:20:23 UTC
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

The function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free.

We recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a.

References:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=317eb9685095678f2c9f5a8189de698c5354316a
https://kernel.dance/317eb9685095678f2c9f5a8189de698c5354316a

Comment 1 Robb Gatica 2023-12-18 20:21:30 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2255140]

Comment 3 Justin M. Forbes 2023-12-19 22:15:27 UTC
This is fixed for Fedora with the 6.6.7 stable kernel updates.

Comment 13 errata-xmlrpc 2024-02-07 16:31:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0724 https://access.redhat.com/errata/RHSA-2024:0724

Comment 15 errata-xmlrpc 2024-02-20 12:29:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0881 https://access.redhat.com/errata/RHSA-2024:0881

Comment 16 errata-xmlrpc 2024-02-20 12:33:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0897 https://access.redhat.com/errata/RHSA-2024:0897

Comment 18 errata-xmlrpc 2024-02-28 12:34:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1019 https://access.redhat.com/errata/RHSA-2024:1019

Comment 19 errata-xmlrpc 2024-02-28 12:41:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1018 https://access.redhat.com/errata/RHSA-2024:1018

Comment 20 errata-xmlrpc 2024-03-12 00:46:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1248 https://access.redhat.com/errata/RHSA-2024:1248

Comment 21 errata-xmlrpc 2024-03-12 11:44:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:1268 https://access.redhat.com/errata/RHSA-2024:1268

Comment 22 errata-xmlrpc 2024-03-12 11:45:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:1269 https://access.redhat.com/errata/RHSA-2024:1269

Comment 23 errata-xmlrpc 2024-03-19 00:23:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:1367 https://access.redhat.com/errata/RHSA-2024:1367

Comment 24 errata-xmlrpc 2024-03-19 15:07:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:1382 https://access.redhat.com/errata/RHSA-2024:1382

Comment 25 errata-xmlrpc 2024-03-19 17:27:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1404 https://access.redhat.com/errata/RHSA-2024:1404

Comment 29 errata-xmlrpc 2024-05-28 14:05:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:3414 https://access.redhat.com/errata/RHSA-2024:3414

Comment 30 errata-xmlrpc 2024-05-28 14:07:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:3421 https://access.redhat.com/errata/RHSA-2024:3421


Note You need to log in before you can comment on or make changes to this bug.