A critical use-after-free vulnerability has been discovered in the Linux kernel’s netfilter subsystem.
This vulnerability could potentially allow local, unprivileged users with CAP_NET_ADMIN capability to escalate their privileges.
The flaw, identified in the upstream commit 5f68718b34a5 (“netfilter: nf_tables: GC transaction API to avoid race with control plane”), can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object when the catchall element is garbage-collected during the removal of the pipapo set.
CVE-2024-0193 – Use-After-Free Vulnerability
The vulnerability does not affect any shipped kernel releases of Red Hat Enterprise Linux (RHEL) 6, 7, and 8.
However, local, unprivileged users can exploit unprivileged user namespaces (CONFIG_USER_NS) to grant themselves the CAP_NET_ADMIN capability, thereby potentially exploiting this flaw.
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo
The OpenShift Container Platform (OCP), which is based on Red Hat Enterprise Linux CoreOS (RHCOS), is also affected.
However, due to the nature of RHCOS, where local users already have root permissions, the vulnerability does not present a significant threat from an attacker’s perspective.
Mitigation Strategies
To mitigate this vulnerability, it is essential to control the ability to create user/net namespaces.
For non-containerized deployments of Red Hat Enterprise Linux 8, user namespaces can be disabled by setting user.max_user_namespaces to 0:
# echo "user.max_user_namespaces=0" > /etc/sysctl.d/userns.conf
# sysctl -p /etc/sysctl.d/userns.conf
For containerized deployments, such as Red Hat OpenShift Container Platform, this mitigation should not be applied as the functionality needs to remain enabled.
While the newly published proof-of-concept exploit for this Linux kernel privilege escalation flaw is concerning, the impact on Red Hat Enterprise Linux and OpenShift environments remains limited due to existing permissions and namespace configurations.
Administrators are advised to implement the recommended mitigations to safeguard their systems against potential exploitation.
For a detailed analysis and further information, refer to the Red Hat blog post on container vulnerability risk assessment.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files