A critical vulnerability in the Linux kernel’s netfilter subsystem has been discovered that allows local attackers to escalate privileges through an out-of-bounds write condition.
The flaw, identified as CVE-2024-53141, affects the ipset bitmap functionality and could enable unprivileged users to gain root access on vulnerable systems.
| CVE ID | CVE-2024-53141 |
| Affected Versions | Up to commit 041bd1e4 in Torvalds’s Linux kernel repository, including kernel versions up to 6.12.2 |
| Vendor Response | Linux kernel developers released a patch addressing the vulnerability |
| Patch Commit | 35f56c554eb1b56b77b3cf197a6b00922d49033d |
Technical Overview
The vulnerability resides within the bitmap:ip set type implementation in the Linux kernel’s ipset subsystem, which is used for efficient IP address management in conjunction with iptables and nftables.
The flaw occurs in the bitmap_ip_uadt function located in net/netfilter/ipset/ip_set_bitmap_ip.c.
When processing CIDR (Classless Inter-Domain Routing) notation for IP ranges, the kernel fails to perform proper bounds checking.
Specifically, when tb[IPSET_ATTR_CIDR] is present but tb[IPSET_ATTR_IP_TO] is not, the system performs IP address range calculations without verifying that the resulting IP address remains within the valid bitmap range defined by map->first_ip.
This oversight creates an out-of-bounds write condition where attackers can manipulate the bitmap data structure beyond its intended boundaries.
The vulnerability allows modification of kernel memory structures, potentially corrupting critical system data and enabling privilege escalation attacks.
Security researchers have demonstrated that this flaw can be exploited to achieve arbitrary memory writes within the kernel space.
The attack vector involves creating specially crafted ipset bitmap configurations with CIDR ranges that trigger integer underflow conditions during IP-to-index calculations.
The vulnerability is particularly concerning because it can be exploited by local unprivileged users who have access to netfilter capabilities, making it a significant privilege escalation vector on multi-user systems and containerized environments.
This vulnerability poses a high-severity risk to Linux-based systems, particularly those running network security appliances, firewalls, and container orchestration platforms that rely heavily on netfilter functionality.
Successful exploitation could allow attackers to bypass security controls, gain unauthorized administrative access, and potentially compromise entire system infrastructures.
System administrators should immediately update their Linux kernels to versions containing the security patch.
The fix implements proper boundary validation for CIDR-based IP range operations within the bitmap:ip subsystem.
Organizations unable to immediately patch should consider restricting access to netfilter capabilities and monitoring system logs for suspicious ipset operations until updates can be applied.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
