HIGH
netfilter PIPAPO Element UAF
CVE-2023-6817
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free. We recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a.
02KernelScan AI Analysis
Risk summary
A local attacker with network administration privileges can trigger a use-after-free vulnerability in the kernel's netfilter subsystem by manipulating PIPAPO set elements. This can lead to kernel crashes or potentially allow privilege escalation to gain full system control.
Vulnerability analysis
Root Cause: The nft_pipapo_walk function in netfilter's PIPAPO set implementation failed to check if elements were already inactive before processing them during set walks. This allowed inactive elements to be deactivated multiple times, leading to double-free conditions and use-after-free vulnerabilities when the same memory was accessed after being freed.
Attack Surface: Local attack surface requiring CAP_NET_ADMIN privileges to manipulate netfilter nf_tables rules and sets. The vulnerability is triggered through netlink socket operations that manage PIPAPO set elements, making it accessible to privileged local users or processes with network administration capabilities.
Fix Mechanism: The patch adds a check using nft_set_elem_active() to verify element activity status before processing. If an element is inactive (already deactivated), the function skips it with 'goto cont', preventing double deactivation and the resulting use-after-free condition.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| mainline | 6.7 | 317eb9685095 |