// For flags

CVE-2024-27397

netfilter: nf_tables: use timestamp to check for set element timeout

Severity Score

7.0
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: use timestamp to check for set element timeout

Add a timestamp field at the beginning of the transaction, store it
in the nftables per-netns area.

Update set backend .insert, .deactivate and sync gc path to use the
timestamp, this avoids that an element expires while control plane
transaction is still unfinished.

.lookup and .update, which are used from packet path, still use the
current time to check if the element has expired. And .get path and dump
also since this runs lockless under rcu read size lock. Then, there is
async gc which also needs to check the current time since it runs
asynchronously from a workqueue.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: netfilter: nf_tables: use la marca de tiempo para verificar el tiempo de espera del elemento establecido. Agregue un campo de marca de tiempo al comienzo de la transacción y guárdelo en el área nftables per-netns. Actualice el conjunto de backend .insert, .deactivate y sincronice la ruta gc para usar la marca de tiempo, esto evita que un elemento caduque mientras la transacción del plano de control aún no ha finalizado. .lookup y .update, que se usan desde la ruta del paquete, aún usan la hora actual para verificar si el elemento ha caducado. Y obtener ruta y volcar también, ya que se ejecuta sin bloqueo bajo el bloqueo de tamaño de lectura de rcu. Luego, está el gc async que también necesita verificar la hora actual, ya que se ejecuta de forma asincrónica desde una cola de trabajo.

A use-after-free flaw was found in the Linux kernel’s netfilter subsystem in how a user triggers the element timeout. This flaw allows a local user to crash or potentially escalate their privileges on the system.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-02-25 CVE Reserved
  • 2024-05-09 CVE Published
  • 2024-08-19 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.1 < 4.19.320
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 4.19.320"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.1 < 5.4.282
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.4.282"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.1 < 5.10.224
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.10.224"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.1 < 5.15.165
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.15.165"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.1 < 6.1.97
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.1.97"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.1 < 6.7.5
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.7.5"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.1 < 6.8
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.8"
en
Affected