Security researcher liona24 has provided an in-depth analysis and a proof-of-concept (PoC) exploit code for CVE-2024-27397, a vulnerability in the Linux kernel’s netfilter nf_tables component. This use-after-free flaw, which affects versions 4.1 through 6.8, has a CVSS score of 7.0, signifying its potential to allow local privilege escalation.
CVE-2024-27397 is rooted in the handling of timeouts for elements within NFT sets. When these elements expire during a transaction, it triggers an asymmetric clean-up operation, potentially leading to missing reference count updates and use-after-free conditions. This flaw enables a local attacker to either crash the system or escalate privileges.
This vulnerability resides in the netfilter nf_tables component and can be exploited during rollback operations involving expired elements. The issue specifically arises in the nft_set_elem_expired function defined in nf_tables.h.
The researcher detailed how attackers could exploit the vulnerability by crafting a specific transaction setup:
- Add an NFT_JUMP verdict to a set with a short expiration time, incrementing a use count.
- Delete the set before it expires, decrementing the use count.
- Perform junk operations to delay the process, allowing the added element to expire.
- Trigger an invalid operation, forcing the transaction to abort.
During the rollback, the expired element’s use count is not restored, resulting in a use-after-free condition. By manipulating reference counts, attackers can gain RIP control, leveraging the freed chain object for further exploitation.
The exploitation is highly reliable, with testing showing a 90%-100% success rate when Address Space Layout Randomization (ASLR) is bypassed.
The vulnerability was introduced in commit c3e1b005ed1c and has been patched in commit 7395dfacfff65e9938ac0889dafa1ab01e987d15. Users are strongly advised to update to the latest kernel versions.
The full technical details and a proof-of-concept (PoC) exploit code for CVE-2024-27397 is available on Github.
