CVE-2024-0193

Kernel: netfilter: use-after-free in nft_trans_gc_catchall_sync leads to privilege escalation

Severity Score

6.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object, allowing a local unprivileged user with CAP_NET_ADMIN capability to escalate their privileges on the system.

Se encontró un fallo de use after free en el subsistema netfilter del kernel de Linux. Si el elemento general se recolecta como basura cuando se retira el conjunto de pipapo, el elemento se puede desactivar dos veces. Esto puede causar un problema de use-after-free en un objeto NFT_CHAIN o NFT_OBJECT, lo que permite a un usuario local sin privilegios escalar sus privilegios en el sistema.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-01-02 CVE Reserved
2024-01-02 CVE Published
2024-02-29 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (8)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=2255653	2024-07-09

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2024:1018	2024-07-09
https://access.redhat.com/errata/RHSA-2024:1019	2024-07-09
https://access.redhat.com/errata/RHSA-2024:1248	2024-07-09
https://access.redhat.com/errata/RHSA-2024:2094	2024-07-09
https://access.redhat.com/errata/RHSA-2024:4412	2024-07-09
https://access.redhat.com/errata/RHSA-2024:4415	2024-07-09
https://access.redhat.com/security/cve/CVE-2024-0193	2024-07-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				-		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				9.0 Search vendor "Redhat" for product "Enterprise Linux" and version "9.0"		-		Affected