HIGH Published 2024-01-31

netfilter CatchAll UAF

CVE-2024-1085

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_setelem_catchall_deactivate() function checks whether the catch-all set element is active in the current generation instead of the next generation before freeing it, but only flags it inactive in the next generation, making it possible to free the element multiple times, leading to a double free vulnerability. We recommend upgrading past commit b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

This vulnerability allows local attackers with network administration privileges to trigger a use-after-free condition in the kernel's netfilter subsystem, potentially leading to privilege escalation, denial of service, or arbitrary code execution. The bug affects systems where unprivileged users can gain CAP_NET_ADMIN capabilities or where multiple privileged processes manipulate firewall rules concurrently.

Affectednet/netfilter/nf_tables_api.c

Vulnerability analysis

Summary: A use-after-free vulnerability in netfilter's nf_tables component caused by incorrect generation checking in catch-all set element deactivation.

Root Cause: The nft_setelem_catchall_deactivate() function incorrectly checks if a catch-all set element is active in the current generation (nft_is_active) instead of the next generation (nft_is_active_next) before freeing it. This creates a window where an element can be freed multiple times - once when it's inactive in the current generation but active in the next, and again when it becomes inactive in the next generation.

Attack Surface: Local attack surface requiring CAP_NET_ADMIN privileges to manipulate netfilter nf_tables rules. The vulnerability is triggered through netlink socket operations that manage nf_tables set elements, specifically catch-all elements in sets.

Fix Mechanism: The patch changes the generation check from nft_is_active(net, ext) to nft_is_active_next(net, ext), ensuring that the function properly checks the element's state in the transaction's target generation before attempting to free it. This prevents the double-free condition by ensuring elements are only freed when they are truly inactive in the next generation.

03Fix Versions

Branch	Fixed in	Patch commit
mainline	6.8	`b1db244ffd04`