CVE-2023-6040: A Critical Linux Kernel Netfilter Vulnerability
The Linux Kernel has been hit by a significant security vulnerability, CVE-2023-6040, with a CVSS score of 7.8, impacting its netfilter component. Discovered by Lin Ma from Ant Security Light-Year Lab, this flaw arises during the creation of a new netfilter table.
The absence of proper checks against invalid nf_tables family values in the `nf_tables_newtable` function leads to out-of-bounds access.
Typically, out-of-bounds access can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The product may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.
This vulnerability primarily exists in two functions:
- `xt_find_target` in `x_tables.c`: This function may process `xt_af` data without boundary checks, potentially leading to exploitation.
- `nf_logger_find_get` in `nf_log.c`: Here, the `pf` index is used on the `loggers` global array, opening avenues for attackers to manipulate adjacent global data.
An attacker exploiting this flaw could potentially read sensitive information from other memory locations, leading to data leaks or system crashes. The crash usually happens when the system reads excess data due to the absence of a proper sentinel, causing segmentation faults or buffer overflows.
Disabling unprivileged user namespaces is a recommended mitigation strategy. CVE-2023-6040 affects upstream stable versions 5.4.y, 5.10.y, and 5.15.y, necessitating urgent patches. Kernels newer than 5.18-rc1 are not affected.
Administrators are advised to apply the appropriate updates on their Linux distributions as soon as they receive them from their respective distro.
Via: openwall
