A important vulnerability within the Linux kernel’s netfilter ipset subsystem has been found that permits native attackers to escalate privileges to root-level entry.
The flaw, recognized within the bitmap:ip implementation inside the ipset framework, stems from inadequate vary validation when processing CIDR notation in IP tackle ranges.
This lacking bounds test permits attackers to set off out-of-bounds reminiscence writes in kernel house, in the end offering a pathway to full system compromise.
Key Takeaways1. Essential vulnerability in Linux kernel’s netfilter ipset subsystem permits attackers to set off out-of-bounds reminiscence writes.2. Attackers with native entry can exploit this flaw to achieve root privileges.3. Instantly replace to patched kernel variations.
The vulnerability impacts kernel variations as much as 6.12.2 and has been addressed via a just lately launched patch that implements correct vary validation throughout all code paths.
Linux Kernel Netfilter Vulnerability
SSD Safe Disclosure stories that the safety flaw resides within the bitmap_ip_uadt perform inside the web/netfilter/ipset/ip_set_bitmap_ip.c file, the place inadequate validation happens when processing CIDR-based IP ranges.
The ipset subsystem, designed for high-performance packet filtering along side iptables and nftables, makes use of bitmap knowledge constructions to effectively handle units of IPv4 addresses.
When customers specify IP ranges utilizing CIDR notation via the netfilter netlink interface, the weak code path fails to confirm that the calculated IP vary falls inside the allotted bitmap boundaries.
The basis trigger emerges when the tb[IPSET_ATTR_CIDR] attribute is current however tb[IPSET_ATTR_IP_TO] is absent.
On this situation, the ip_set_mask_from_to perform calculates new ip and ip_to values primarily based on the CIDR masks, however in contrast to the specific vary case, no validation ensures the ensuing ip worth doesn’t underflow beneath map->first_ip.
This creates a scenario the place crafted CIDR values may cause integer underflow, resulting in out-of-bounds array entry when the calculated index is truncated from u32 to u16 throughout bitmap operations.
Exploitation of this vulnerability requires native entry however no particular privileges, making it notably harmful in multi-user environments or containerized methods.
Attackers can leverage the netfilter netlink socket interface to ship maliciously crafted ipset instructions that set off the weak code path.
By fastidiously setting up bitmap:ip set creation and addition operations with particular CIDR values, attackers can obtain managed out-of-bounds writes past the allotted bitmap reminiscence area.
The exploitation method entails creating a number of bitmap:ip objects to ascertain a predictable reminiscence structure, then utilizing the out-of-bounds write primitive to overwrite important kernel knowledge constructions.
Particularly, attackers can modify the members pointer of adjoining bitmap_ip objects, reworking the restricted write primitive into arbitrary reminiscence write capabilities.
The proof-of-concept demonstrates overwriting the core_pattern kernel parameter, which controls how core dumps are processed, permitting attackers to execute arbitrary instructions with root privileges when triggering a segmentation fault.
The vulnerability’s influence extends past easy privilege escalation, as profitable exploitation grants attackers full management over the affected system.
This consists of the flexibility to put in rootkits, modify system configurations, entry delicate knowledge, and probably pivot to different methods on the community.
Organizations operating affected kernel variations ought to prioritize making use of the accessible patch, which addresses the difficulty by implementing a complete vary validation that checks each ip first_ip and ip_to > map->last_ip situations no matter how the IP vary is specified.
Enhance your SOC and assist your group shield what you are promoting with free top-notch risk intelligence: Request TI Lookup Premium Trial.
