Pierluigi Paganini
May 09, 2023
Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network and prohibiting packets from reaching sensitive locations within a network.
The Linux NetFilter kernel is affected by a vulnerability, tracked as CVE-2023-32233, that can allow unprivileged local users to escalate their privileges to ‘root,’ potentially leading to the complete compromise of the system.
“In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory.” reads the advisory. “Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled.”
The root cause of the problem resides in how tfilter nf_tables handles batch requests, allowing a local authenticated attacker to gain elevated privileges by sending a specially crafted request that causes the corruption of the internal state of Netfilter nf_tables.
“Netfilter nf_tables allows updating its configuration with batch requests that group multiple basic operations into atomic transactions. In a specific scenario, an invalid batch request may contain an operation that implicitly deletes an existing nft anonymous set followed by another operation that attempts to act on the same nft anonymous set after it is deleted.” wrote Piotr Krysiuk on SecLists.
The vulnerability impacts multiple Linux kernel releases, including Linux 6.3.1 (current stable).
Researchers Patryk Sondej and Piotr Krysiuk developed an PoC exploit code that allows unprivileged local users to start a root shell by abusing this vulnerability.
“That exploit was shared privately with to assist with fix development. Somebody from the Linux kernel team then emailed the proposed fix to and that email also included a link to download our description of exploitation techniques and our exploit source code.” continues Krysiuk. ” Therefore, according to the linux-distros list policy, the exploit must be published within 7 days from this advisory. In order to comply with
that policy, I intend to publish both the description of exploitation techniques and also the exploit source code on Monday 15th by email to this list. The fix is available from mainline kernel git repository:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=c1592a89942e9678f7d9c8030efa777c0d57edab “
The two researchers shared their exploit privately with the Linux kernel team to allow the development of a patch to solve the issue.
The engineer Pablo Neira Ayuso addressed the flaw by deactivating anonymous set from preparation. phase preventing users to perform any update on it.
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Linux NetFilter)
