CVE-2024-27397

netfilter: nf_tables: use timestamp to check for set element timeout

Severity Score

7.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: use timestamp to check for set element timeout

Add a timestamp field at the beginning of the transaction, store it
in the nftables per-netns area.

Update set backend .insert, .deactivate and sync gc path to use the
timestamp, this avoids that an element expires while control plane
transaction is still unfinished.

.lookup and .update, which are used from packet path, still use the
current time to check if the element has expired. And .get path and dump
also since this runs lockless under rcu read size lock. Then, there is
async gc which also needs to check the current time since it runs
asynchronously from a workqueue.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: netfilter: nf_tables: use la marca de tiempo para verificar el tiempo de espera del elemento establecido. Agregue un campo de marca de tiempo al comienzo de la transacción y guárdelo en el área nftables per-netns. Actualice el conjunto de backend .insert, .deactivate y sincronice la ruta gc para usar la marca de tiempo, esto evita que un elemento caduque mientras la transacción del plano de control aún no ha finalizado. .lookup y .update, que se usan desde la ruta del paquete, aún usan la hora actual para verificar si el elemento ha caducado. Y obtener ruta y volcar también, ya que se ejecuta sin bloqueo bajo el bloqueo de tamaño de lectura de rcu. Luego, está el gc async que también necesita verificar la hora actual, ya que se ejecuta de forma asincrónica desde una cola de trabajo.

A use-after-free flaw was found in the Linux kernel’s netfilter subsystem in how a user triggers the element timeout. This flaw allows a local user to crash or potentially escalate their privileges on the system.

*Credits: N/A

CVSS Scores

Red Hatv3.1 7.0

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-25 CVE Reserved
2024-05-09 CVE Published
2024-08-19 CVE Updated
2024-08-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (10)

URL	Tag	Source
https://git.kernel.org/stable/c/c3e1b005ed1cc068fc9d454a6e745830d55d251d	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/f8dfda798650241c1692058713ca4fef8e429061	2024-08-19
https://git.kernel.org/stable/c/eaf1a29ea5d7dba8e84e9e9f3b3f47d0cd540bfe	2024-08-19
https://git.kernel.org/stable/c/7b17de2a71e56c10335b565cc7ad238e6d984379	2024-08-19
https://git.kernel.org/stable/c/0d40e8cb1d1f56a994cdd2e015af622fdca9ed4d	2024-08-19
https://git.kernel.org/stable/c/b45176b869673417ace338b87cf9cdb66e2eeb01	2024-07-05
https://git.kernel.org/stable/c/383182db8d58c4237772ba0764cded4938a235c3	2024-02-16
https://git.kernel.org/stable/c/7395dfacfff65e9938ac0889dafa1ab01e987d15	2024-02-08

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-27397	2024-08-13
https://bugzilla.redhat.com/show_bug.cgi?id=2280434	2024-08-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.1 < 4.19.320 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 4.19.320"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.1 < 5.4.282 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.4.282"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.1 < 5.10.224 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.10.224"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.1 < 5.15.165 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.15.165"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.1 < 6.1.97 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.1.97"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.1 < 6.7.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.7.5"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.1 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.8"		en		Affected