CVE-2024-53141: Linux Kernel Vulnerability Resolved in netfilter: ipset - Missing Range Check in bitmap_ip_uadt

In the Linux kernel, an important vulnerability has been identified and resolved. The issue is related to the netfilter subsystem, specifically in the ipset component, which is widely used for efficient and flexible IP address management. This post will discuss the details of the vulnerability, its impact, and the fix that has been implemented.

The Vulnerability

The vulnerability, designated as CVE-2024-53141, lies in the missing range check in the bitmap_ip_uadt function of the netfilter: ipset component. This issue can be triggered when the tb[IPSET_ATTR_IP_TO] attribute is not present, but the tb[IPSET_ATTR_CIDR] attribute exists. In such cases, the values of the ip and ip_to variables are slightly swapped, leading to potential security risks.

The range check for ip is supposed to be performed after processing the aforementioned attributes, but this crucial step is missing. As a result, the vulnerability is exposed and can potentially be exploited by an attacker to cause undesirable behavior, such as denial of service or even arbitrary code execution on the affected system.

Here's a code snippet from the Linux kernel source that highlights the issue

static int bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
			enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{
	...
	// Extracting IP and IP_TO attributes
	ip = nla_get_ipaddr4(tb[IPSET_ATTR_IP]);
	ip_to = tb[IPSET_ATTR_IP_TO] ? nla_get_ipaddr4(tb[IPSET_ATTR_IP_TO]) : ip;

	// CIDR handling
	if (tb[IPSET_ATTR_CIDR]) {
		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);

		if (cidr == )
			return -IPSET_ERR_INVALID_CIDR;
		else
			ip &= ip_set_hostmask(cidr);
	}

	// Missing range check for ip
	// ... (rest of the function) ...
}

The Fix

To resolve this vulnerability, the missing range check for the ip variable should be added after processing both the IPSET_ATTR_IP_TO and IPSET_ATTR_CIDR attributes. In addition, any unnecessary range checks that might be present should be removed. This can be done with the following patch:

--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -164,6 +164,12 @@ static int bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
 			ip &= ip_set_hostmask(cidr);
 	}
 
+	// Adding the missing range check for ip
+	if (ip_to - ip >= h->elements || ip_to <= ip)
+		return -IPSET_ERR_BITMAP_RANGE;
+
+	// Remove unnecessary range checks below
+	// ...
 }

After applying this patch, the affected systems should be protected against the CVE-2024-53141 vulnerability.

References

To gain a deeper understanding of the issue and its resolution, please refer to the following original references:

1. Linux Kernel Source Code
2. netfilter: ipset - bitmap_ip_uadt
3. CVE-2024-53141 - Vulnerability Details and Fix

Conclusion

In this post, we have discussed a critical vulnerability in the Linux kernel, specifically in the netfilter: ipset component. The issue has been designated as CVE-2024-53141 and has been resolved by adding the missing range checks and removing unnecessary checks. To protect your Linux systems against this vulnerability, make sure you apply the necessary patches and updates as they become available from your distribution.

Timeline

Published on: 12/06/2024 10:15:06 UTC
Last modified on: 12/14/2024 21:15:38 UTC