A new NetFilter Linux kernel flaw has been discovered, allowing unprivileged local users to elevate their privileges to the root level, allowing complete control over a system.
THE CVE-2023-32233 An identifier has been reserved for the vulnerability, but a severity level has yet to be determined.
The security issue stems from the fact that Netfilter nf_tables accepts invalid updates to its configuration, allowing for specific scenarios where invalid batch requests lead to subsystem internal state corruption.
Netfilter is a packet filtering and network address translation (NAT) framework built into the Linux kernel that is managed through front-end utilities, such as IPtables and UFW.
According to a new advisory released yesterday, corruption of the internal system state leads to a use-after-free vulnerability that can be exploited to perform arbitrary reads and writes to kernel memory.
As revealed by security researchers who posted to the Openwall mailing list, a proof-of-concept (PoC) exploit has been created to demonstrate exploitation of CVE-2023-32233.
The researcher says this impacts several versions of the Linux kernel, including the current stable version, v6.3.1. However, to exploit the vulnerability, it is first necessary to have local access to a Linux device.
A Linux kernel source code validation was submitted to solve the problem by engineer Pablo Neira Ayuso, introducing two functions that manage the lifecycle of anonymous sets in the Netfilter nf_tables subsystem.
By properly handling the enabling and disabling of anonymous sets and preventing further updates, this patch prevents memory corruption and the possibility of attackers exploiting the use-after-free issue to elevate their privileges to root.
The exploit soon to be made public
Security researchers Patryk Sondej and Piotr Krysiuk, who discovered the issue and reported it to the Linux kernel team, developed a PoC that allows unprivileged local users to start a root shell on impacted systems.
The researchers shared their exploit privately with the Linux kernel team to help them develop a fix and included a link to a detailed description of the exploit techniques employed and the PoC source code.
As analysts explained in more detail, the exploit will be released next Monday, May 15, 2023, with full details on the exploitation techniques.
“Per linux-distros list policy, the exploit must be released within 7 days of this notice. In order to comply with this policy, I intend to release both the description of the exploit techniques exploit and also the source code for the exploit on Monday the 15th,” reads a publication to the Openwall mailing list.
Gaining root-level privileges on Linux servers is a valuable tool for threat actors, who are known to monitor Openwall for new security intelligence to use in their attacks.
A mitigating factor for CVE-2023-32233 is that remote attackers must first establish local access to a target system to exploit it.