Linux Kernel Netfilter Vulnerability Allows Attackers to Gain Elevated Privileges

A critical security vulnerability in the Linux kernel’s netfilter ipset subsystem has been disclosed, allowing attackers to achieve privilege escalation through an out-of-bounds write primitive.

The vulnerability, tracked as CVE-2024-53141, affects Linux kernel versions up to commit 041bd1e4 and kernel 6.12.2, presenting significant risks for systems utilizing bitmap IP sets for packet filtering operations.

The vulnerability resides within the bitmap_ip_uadt function in the net/netfilter/ipset/ip_set_bitmap_ip.c file, specifically in the CIDR (Classless Inter-Domain Routing) handling logic.

When processing IP ranges using CIDR notation, the subsystem fails to properly validate boundaries after performing bitwise operations on IP addresses.

The critical vulnerability occurs when the tb[IPSET_ATTR_CIDR] attribute is present but tb[IPSET_ATTR_IP_TO] is not.

In this scenario, the code performs ip_set_mask_from_to(ip, ip_to, cidr) which can cause the ip value to underflow below map->first_ip.

Unlike the explicit IP range case where boundary checks are performed after swapping values, the CIDR path lacks this crucial validation step.

This oversight creates an out-of-bounds write condition when the calculated index is used in subsequent bitmap operations.

The vulnerability manifests when attackers craft malicious netlink messages with specific CIDR values that, when processed through the AND bitwise operation, result in underflow conditions that bypass existing security checks.

Linux Kernel Netfilter Vulnerability

Exploitation of this vulnerability requires the ability to interact with the ipset subsystem through netfilter’s netlink interface.

Attackers can leverage this vulnerability to achieve a controlled out-of-bounds write primitive by manipulating extension data structures associated with bitmap IP sets.

To delete a bitmap set, we can send command IPSET_CMD_DESTROY with desired set name.

The attack strategy involves creating carefully crafted bitmap sets with specific IP ranges, then adding IP addresses with malicious CIDR values that trigger the underflow condition.

Since the calculated index undergoes truncation from u32 to u16, attackers must precisely control the underflow magnitude to achieve predictable memory corruption.

The vulnerability provides write primitives through extension fields including skbmark, skbprio, skbqueue, bytes, and packets attributes.

By strategically positioning bitmap IP objects in memory and exploiting the out-of-bounds write, attackers can overwrite critical kernel structures, including the members pointer and IP range boundaries of adjacent objects.

A proof-of-concept demonstrates achieving privilege escalation by targeting the kernel’s core_pattern configuration, which controls how core dumps are handled.

By overwriting this system parameter with a malicious pattern like |/proc/%P/exe, attackers can execute arbitrary code with elevated privileges when triggering a segmentation fault.

Mitigations

The Linux kernel maintainers have released a patch addressing this vulnerability by consolidating boundary validation logic.

The fix moves all range checks to a single location, ensuring that both ip and ip_to values are properly validated against map->first_ip and map->last_ip regardless of whether they originate from explicit IP ranges or CIDR calculations.

The patch modifies the validation logic from checking only ip_to > map->last_ip to implementing comprehensive bounds checking with ip < map->first_ip || ip_to > map->last_ip.

This change ensures that underflow conditions in the CIDR processing path are properly detected and rejected before they can cause memory corruption.

System administrators should prioritize applying this security update, particularly on systems that utilize netfilter’s ipset functionality for network traffic filtering and firewall operations.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.