Nasty Linux netfilter firewall security hole found

How embarrassing! It turns out there was a security hole lurking in Linux's netfilter firewall program.

Behind almost all Linux firewalls tools such as iptables; its newer version, nftables; firewalld; and ufw, is netfilter, which controls access to and from Linux's network stack. It's an essential Linux security program, so when a security hole is found in it, it's a big deal. 

Nick Gregory, a Sophos threat researcher, found this hole recently while checking netfilter for possible security problems. Gregory explains in great detail his bug hunt, and I recommend it for those who want insight into finding C errors. But, for those of you who just want to cut to the chase, here's the story.

This is a serious bug. Specifically, it's a heap out-of-bounds write problem with the kernel's netfilter. Gregory said it's " exploitable to achieve kernel code execution (via ROP [return-oriented programming]), giving full local privilege escalation, container escape, whatever you want." Yuck!

This problem exists because netfilter doesn't handle its hardware offload feature correctly. A local, unprivileged attacker can use this to cause a denial-of-service (DoS), execute arbitrary code, and cause general mayhem. Adding insult to injury, this works even if the hardware being attacked doesn't have offload functionality! That's because, as Gregory wrote to a security list, "Despite being in code dealing with hardware offload, this is reachable when targeting network devices that don't have offload functionality (e.g. lo) as the bug is triggered before the rule creation fails."

Also: The best Linux distros for beginners: You can do this!

This vulnerability is present in the Linux kernel versions 5.4 through 5.6.10. It's listed as Common Vulnerabilities and Exposures (CVE-2022-25636), and with a Common Vulnerability Scoring System (CVSS) score of 7.8), this is a real badie. 

How bad? In its advisory, Red Hat  said, "This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat." So, yes, this is bad.

Worse still, it affects recent major distribution releases such as Red Hat Enterprise Linux (RHEL) 8.x; Debian BullseyeUbuntu Linux, and SUSE Linux Enterprise 15.3. While the Linux kernel netfilter patch has been made, the patch isn't available yet in all distribution releases.

If you don't have a patch yet, you can mitigate the problem in the RHEL family with the commands:

# echo 0 > /proc/sys/user/max_user_namespaces

# sudo sysctl --system

And, in the Debian/Ubuntu family with the command:

$ sudo sysctl kernel.unprivileged_userns_clone=0

So, here we are again. I've not seen a good exploit of this, but I have seen one that works about half the time. If you don't want to see your Linux servers stolen out from underneath you or just knocked off the net, it's time to either patch your system or lock it down to avoid trouble.

See also

Show Comments