oss-sec mailing list archives
Re: New Linux kernel NetFilter flaw gives attackers root privileges
From: Piotr Krysiuk <piotras () gmail com>
Date: Wed, 10 May 2023 20:02:49 +0100
On Wed, May 10, 2023 at 5:55 PM Solar Designer <solar () openwall com> wrote:
Hi, On Wed, May 10, 2023 at 11:52:58PM +0800, Turritopsis Dohrnii Teo En Ming wrote:I have just come across this article. Thought of sharing it. Article: New Linux kernel NetFilter flaw gives attackers root privileges Link: https://www.bleepingcomputer.com/news/security/new-linux-kernel-netfilter-flaw-gives-attackers-root-privileges/We don't normally want in here links to news articles on something that was already brought up in here in more detail. However, as a moderator, I reluctantly approved this posting so that we can use the resulting thread to discuss whether this issue got blown out of proportion and if so what we can do to avoid that going forward. Here's the original posting this refers to: https://www.openwall.com/lists/oss-security/2023/05/08/4 Another Linux kernel issue, in io_uring subsystem, was also disclosed in here on the same day, but I think didn't gain such tech media attention: https://www.openwall.com/lists/oss-security/2023/05/08/3 Is the netfilter issue really worse than the io_uring issue? I doubt it. So _maybe_ it was something in the wording that tripped someone writing for one of those tech news websites, then others picked it up? Piotr's posting about the netfilter issue mentions intent to disclose an exploit later (like it should have, thank you Piotr!) Tobias' posting directly links to an exploit (which is also fine). Is intent to disclose an exploit later more newsworthy than having done so right away? I doubt it. So maybe it's just random, and there's nothing to see here, after all.
Hi Alexander, I suspect that what triggered the media is the following fragment:
Somebody from the Linux kernel team then emailed the proposed fix to <linux-distros () openwall org> and that email also included a link to download our description of exploitation techniques and our exploit source code. Therefore, according to the linux-distros list policy, the exploit must be published within 7 days from this advisory.
Unfortunately, sharing the exploit here by Pablo Neira Ayuso does not look like a mistake. Just after his first email, I sent the following note to Pablo in private:
Hi Pablo, By any chance, did you receive the delivery error like that when sending the patch to linux-distros () vs openwall org ? 550 5.7.1 Missing the [vs] anti-spam tag, see https://oss-security.openwall.org/wiki/mailing-lists/distros The email includes my Google Drive link to the PoC in the quote. But I didn't really plan to share the full exploit with linux-distros. Now they could ask to re-post the full copy in public within the next 2 weeks. Kind regards, Piotr
And then Pablo decided to resent, adding the tag. So in the advisory I wanted to explain the reason why the exploit must be posted, given that was not my original plan.
Now as to the actual issue and its description, I think we should clarify what exactly is meant by "unprivileged local users." Piotr, I guess you actually meant not literally unprivileged, but users with CAP_NET_ADMIN, which can be had via unprivileged user/net namespaces if enabled in the distro / on the system, or when already in a container with such capability granted to container root. Correct? I think going forward we should always make this clear right away. Here's a former netfilter core team leader also bringing this up: https://twitter.com/LaF0rge/status/1655867494152667140 LaForge - @LaF0rge@chaos.social @LaF0rge:Really curious to see how CVS-223-32233 for #linux #netfilter nf_tables https://seclists.org/oss-sec/2023/q2/133 can be exploted fom "unprivileged local users". AFAICT, nf_tables_api goes through nfnetlink, and nfnetlink_rcv() checks for CAP_NET_ADMIN way before the code in nf_tables_api.and a reply: Alex Plaskett @alexjplaskett:Didn't look in depth at this one but you can trigger nf_tables_api operations from a user / network namespace and distros such as Ubuntu have unpriv user namespaces enabled.As expected. Now, from a typical distro user's standpoint, "unprivileged local users" may be just right. However, not all distros have unprivileged user namespaces enabled by default.
You are right, I should have explained the dependencies. Do you think it would be OK to include the correction on Monday? Or is it better to send today (it may catch even more media)? I will make sure to review the wording with you before posting. Thanks for bringing it to my attention, Piotr
Alexander
Current thread:
- New Linux kernel NetFilter flaw gives attackers root privileges Turritopsis Dohrnii Teo En Ming (May 10)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Solar Designer (May 10)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Piotr Krysiuk (May 10)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Solar Designer (May 10)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Thadeu Lima de Souza Cascardo (May 10)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Tobias Heider (May 10)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges David Leadbeater (May 11)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Florian Weimer (May 11)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Piotr Krysiuk (May 10)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Solar Designer (May 10)