CVE-2023-3777: Use-After-Free Vulnerability in Linux Kernel's Netfilter nf_tables Component Leading to Local Privilege Escalation

A recently discovered use-after-free vulnerability (CVE-2023-3777) has been found in the Linux kernel's netfilter component, specifically in nf_tables. This vulnerability exposed a weakness in the implementation of table rules, allowing for local privilege escalation. To address this issue, users are advised to upgrade past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.

Details

The vulnerability is triggered when the nf_tables_delrule() function, which is responsible for flushing table rules within the nf_tables component, fails to check if a chain is bound. This oversight enables the owner rule of that particular chain to release certain objects. As a result, an attacker can exploit this use-after-free vulnerability and gain elevated privileges on the affected system.

Original Code

void nf_tables_delrule(...)
{
  ...
  nft_flush_chain(...)
  list_for_each_entry_safe(rule, next, &chain->rules, list)
  {
    ...
    nft_trans_destroy(...)
  }
  ...
}

The original code does not check whether the chain is bound, enabling the exploitation of the use-after-free vulnerability. To resolve the issue, the suggested patch modifies the code to include the check for bound chains:

Patched Code

void nf_tables_delrule(...)
{
  ...
  nft_flush_chain(...)
  if (!nft_chain_is_bound(chain))
    list_for_each_entry_safe(rule, next, &chain->rules, list)
  {
    ...
    nft_trans_destroy(...)
  }
  ...
}

By adding the necessary check, the patched code prevents the release of essential objects, and so, thwarts the risk of local privilege escalation.

Exploit Details

An attacker with local access to the affected system can exploit the use-after-free vulnerability in the nf_tables component by creating specially crafted chains and rules. This would allow the attacker to release certain objects and gain escalated privileges.

Remediation

Users of affected Linux kernel versions should immediately upgrade to a version past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8 to avoid the risk of privilege escalation due to this discovered vulnerability.

Original References

- Vulnerability disclosure: https://seclists.org/oss-sec/YYYY/NNNN.html
- Patch commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8

Summary

CVE-2023-3777 is a use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component, which can lead to local privilege escalation. To fix the vulnerability, users should upgrade to a kernel version past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.

Timeline

Published on: 09/06/2023 14:15:10 UTC
Last modified on: 11/29/2023 15:15:08 UTC