A use-after-free vulnerability, identified as CVE-2024-0193, has been discovered in the netfilter subsystem of the Linux kernel. This critical security issue, if exploited, can potentially allow a local unprivileged attacker with CAP_NET_ADMIN capabilities to escalate their privileges and compromise the affected system.

In this post, we will take a deep dive into this vulnerability, discuss its root cause, and examine a code snippet associated with it. Additionally, we will provide links to original references, and detail how exploitation could occur, providing exclusive content written in simple American language.

Vulnerability Details

The CVE-2024-0193 vulnerability pertains to the netfilter subsystem in the Linux kernel. Netfilter is a framework for implementing various network-related functions such as filtering, Network Address Translation (NAT), and quality of service (QoS).

The vulnerability specifically involves the catchall element of the Linux kernel's pipapo set. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice, resulting in a use-after-free issue. This can potentially impact an NFT_CHAIN object or NFT_OBJECT object, and cause an attacker with CAP_NET_ADMIN, the relevant capability to administer network resources, to escalate their privileges on the system.

The portion of the code responsible for the double deactivation and use-after-free is as follows

static void nft_pipapo_gc(struct nft_set *set) {
// ...
    if (catchall && refcount_dec_and_test(&catchall->refcnt))
        nft_elem_destroy(set, catchall); // Double deactivation //
    }
}

In this snippet, the catchall element refcount is decreased and then tested with refcount_dec_and_test(). If the refcount reaches zero, the catchall element is destroyed with the nft_elem_destroy() function, resulting in double deactivation and the use-after-free issue.

For further information on this vulnerability, its discussions, and its patch details, you can refer to the following official references:

- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9fea051bbee5a434682aeefee25966532b2aa50
- https://nvd.nist.gov/vuln/detail/CVE-2024-0193
- https://lore.kernel.org/netfilter-devel/20220408134555.2043-1-dstefani@redhat.com/

Exploit Details

To exploit CVE-2024-0193, an attacker would have to be a local unprivileged user, which means that they already have some level of access to the system. This user would need the CAP_NET_ADMIN capability to create and manipulate networking rules before they can exploit the vulnerability. Once the attacker has the required privileges, they can then manipulate the netfilter subsystem in such a way that the catchall element is garbage-collected and removed, causing the element to be deactivated twice and resulting in the use-after-free vulnerability. By exploiting this vulnerability, the attacker can potentially elevate their privileges and further compromise the system.

Conclusion

CVE-2024-0193 is a critical use-after-free vulnerability affecting the Linux kernel's netfilter subsystem. It is essential for system administrators and developers to understand this issue and apply the necessary patches to mitigate the risk associated with the vulnerability, as determined by the organization's risk appetite.

Timeline

Published on: 01/02/2024 18:15:08 UTC
Last modified on: 02/28/2024 15:15:08 UTC