New Linux kernel NetFilter flaw gives attackers root privileges

A new Linux NetFilter kernel flaw has been discovered, allowing unprivileged local users to escalate their privileges to root level, allowing complete control over a system.

The CVE-2023-32233 identifier has been reserved for the vulnerability, but a severity level is yet to be determined.

The security problem stems from Netfilter nf_tables accepting invalid updates to its configuration, allowing specific scenarios where invalid batch requests lead to the corruption of the subsystem's internal state.

Netfilter is a packet filtering and network address translation (NAT) framework built into the Linux kernel that is managed through front-end utilities, such as IPtables and UFW.

According to a new advisory published yesterday, corrupting the system's internal state leads to a use-after-free vulnerability that can be exploited to perform arbitrary reads and writes in the kernel memory.

As revealed by security researchers who posted on the Openwall mailing list, a proof-of-concept (PoC) exploit was created to demonstrate the exploitation of CVE-2023-32233. 

The researcher states that the impacts multiple Linux kernel releases, including the current stable version, v6.3.1. However, to exploit the vulnerability, it is required first to have local access to a Linux device.

A Linux kernel source code commit was submitted to address the problem by engineer Pablo Neira Ayuso, introducing two functions that manage the lifecycle of anonymous sets in the Netfilter nf_tables subsystem.

By properly managing the activation and deactivation of anonymous sets and preventing further updates, this fix prevents memory corruption and the possibility of attackers exploiting the use-after-free issue to escalate their privileges to root level.

The exploit to be made public soon

Security researchers Patryk Sondej and Piotr Krysiuk, who discovered the problem and reported it to the Linux kernel team, developed a PoC that allows unprivileged local users to start a root shell on impacted systems.

The researchers shared their exploit privately with the Linux kernel team to assist them in developing a fix and included a link to a detailed description of the employed exploitation techniques and the source code of the PoC.

As the analysts further explained, the exploit will be published next Monday, May 15th, 2023, along with complete details about the exploitation techniques.

"According to the linux-distros list policy, the exploit must be published within 7 days from this advisory. In order to comply with that policy, I intend to publish both the description of exploitation techniques and also the exploit source code on Monday 15th," reads a post to the Openwall mailing list.

Gaining root-level privileges on Linux servers is a valuable tool for threat actors, who are known to monitor Openwall for new security information to use in their attacks.

A mitigating factor for CVE-2023-32233 is that remote attackers first must establish local access to a target system to exploit it.