CVE-2024-27397 - Netfilter nf_tables Vulnerability Resolved Using Timestamp to Check Set Element Timeout in Linux Kernel

The Linux kernel development community has recently addressed a vulnerability (CVE-2024-27397) that affects the netfilter subsystem, particularly the nf_tables module. This post will provide an overview of the vulnerability, explain the solution implemented, and share relevant code snippets and references to support our understanding of the issue and its resolution.

Vulnerability Details

The vulnerability was found within the nf_tables module which is responsible for maintaining various sets within the netfilter framework. The issue was discovered that an element within the set might expire while a control plane transaction was still in progress, leading to potential inconsistencies in the data plane and adverse effects on the overall system operation. The root cause of the issue was the lack of proper handling of timeout checking for set elements during the different stages of the control plane transaction.

Solution: Implementing Timestamp-Based Timeout Checking

The Linux kernel developers have addressed this problem by introducing a new timestamp-based approach for checking set element timeouts. This solution ensures that set elements do not expire while the control plane transaction is still ongoing, effectively mitigating the risk of inconsistencies in the data plane operation.

Update the set backend's .insert, .deactivate, and sync gc path to use the timestamp.

The following code snippet illustrates the changes made to the nf_tables module in the Linux kernel source code:

// Added a new timestamp field
struct nft_set_elem {
  ...
  u64 ts; // added timestamp
  ...
};

// Set the timestamp at the beginning of the transaction
int nft_trans_elem_add(struct nft_ctx *ctx, struct nft_set *set,
  const struct nft_set_elem *elem, u64 timeout)
{
  ...
  elem->ts = ktime_get_real_seconds(); // added setting timestamp
  ...
}

// Update the backend functions to use the timestamp
int nft_set_is_expired(const struct nft_set_elem *elem)
{
  return elem->timeout &&
    (s64)((elem->ts + elem->timeout) - ktime_get_real_seconds() <= );
}

The .lookup and .update functions, which are used in the packet path, continue to use the current time for checking set element expiration. This is to ensure that the performance of the data plane is not compromised. Similarly, the .get path and dump functions also use the current time since they operate lockless under the RCU read size lock. Lastly, the asynchronous garbage collection (gc) process, which runs from a workqueue, also continues to use the current time to check for set element expiration.

Conclusion and References

The implementation of the timestamp-based solution within the nf_tables module in the Linux kernel has effectively resolved the CVE-2024-27397 vulnerability. This fix ensures a more robust and secure operation of the netfilter subsystem within the Linux kernel, improving overall system performance and stability.

For more information and original discussions on this vulnerability and resolution, please consult the following links:

1. Linux kernel source code repository: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/net/netfilter/nf_tables_core.c
2. Linux kernel mailing list discussion: https://lkml.org/lkml/2022/2/28/908
3. CVE details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27397
4. Nftables Wiki: https://wiki.nftables.org/wiki-nftables/index.php/Main_Page

By staying informed about security vulnerabilities, keeping systems up-to-date with patches, and understanding the impact of these vulnerabilities on your system, you can help maintain the security and stability of your environment.

Timeline

Published on: 05/14/2024 15:12:28 UTC
Last modified on: 08/19/2024 05:15:06 UTC