oss-sec mailing list archives

Re: Linux kernel: Netfilter heap buffer overflow in nft_set_elem_init

From: Solar Designer <solar () openwall com>
Date: Sun, 3 Jul 2022 18:05:08 +0200

Proposed fix by the maintainer:

https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6

netdev thread leading to there starts here:

https://lists.openwall.net/netdev/2022/07/02/86

----- Forwarded message from Hugues ANGUELKOV <hanguelkov () randorisec fr> -----

One of our collaborators at RandoriSec, Arthur Mongodin found a 
vulnerability within the netfilter subsystem during his internship.
Successful exploitation of this bug leads to a Local Privilege 
Escalation (LPE) to the `root` user, as tested on Ubuntu server 22.04 
(Linux 5.15.0-39-generic).
This vulnerability is a heap buffer overflow due to a weak check and has 
been introduced within the commit 
[fdb9c405e35bdc6e305b9b4e20ebc141ed14fc81](https://github.com/torvalds/linux/commit/fdb9c405e35bdc6e305b9b4e20ebc141ed14fc81),
 
it affects the Linux kernel since the version 5.8 and is still present 
today.


The fix commit above says it Fixes an older commit from 2015
(7d7402642eaf), but the bug was likely only exposed later, by the 2020
commit referenced in RandoriSec's message above.  Quoting from:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20220702191029.238563-1-pablo () netfilter org/

   Insufficient validation of element datatype and length in
   nft_setelem_parse_data(). At least commit 7d7402642eaf updates
   maximum element data area up to 64 bytes when only 16 bytes
   where supported at the time. Support for larger element size
   came later in fdb9c405e35b though. Picking this older commit
   as Fixes: tag to be safe than sorry.

The vulnerable code path can be reached if the kernel is built with the 
configuration `CONFIG_NETFILTER`, `CONFIG_NF_TABLES` enabled.
To exploit the vulnerability, an attacker may need to obtain an 
unprivileged user namespace to gain the capability `CAP_NET_ADMIN` 
(`CONFIG_USER_NS` and `CONFIG_NET_NS` enabled, and 
`kernel.unprivileged_userns_clone = 1`).


Another scenario is the attacker having (or gaining by other means)
"root" access inside a pre-existing container with CAP_NET_ADMIN.  This
does not require unprivileged user namespaces as the container may have
been started by host root.

we can 
suggest the August, 15th 2022 as a potential date for public disclosure.


FWIW, an embargo this long wouldn't have been accepted by linux-distros.
The latest this issue could be disclosed publicly is July 15th.

Alexander

Current thread:

Linux kernel: Netfilter heap buffer overflow in nft_set_elem_init Solar Designer (Jul 02)
- Re: Linux kernel: Netfilter heap buffer overflow in nft_set_elem_init Solar Designer (Jul 02)
  - Re: Linux kernel: Netfilter heap buffer overflow in nft_set_elem_init Demi Marie Obenour (Jul 03)
    - Re: Linux kernel: Netfilter heap buffer overflow in nft_set_elem_init Solar Designer (Jul 03)
    - Re: Linux kernel: Netfilter heap buffer overflow in nft_set_elem_init Solar Designer (Jul 03)
- Linux kernel: Netfilter heap buffer overflow: Is this CVE-2022-32250? Keine Eile (Jul 03)
  - Re: Linux kernel: Netfilter heap buffer overflow: Is this CVE-2022-32250? Solar Designer (Jul 03)
- Re: Linux kernel: Netfilter heap buffer overflow in nft_set_elem_init Marcus Meissner (Jul 04)
  - Re: Linux kernel: Netfilter heap buffer overflow in nft_set_elem_init Solar Designer (Aug 06)