A newly discovered vulnerability in the Linux NetFilter kernel allows unprivileged local users to gain root-level privileges, giving them complete control over a system. The CVE-2023-32233 identifier has been reserved for the vulnerability, and a severity level has yet to be determined.
Netfilter nf_tables is a packet filtering and network address translation framework that is built into the Linux kernel and managed through front-end utilities like IPtables and UFW.
The vulnerability occurs due to Netfilter nf_tables accepting invalid updates to its configuration, leading to the corruption of the subsystem’s internal state. This can then cause a use-after-free vulnerability that can be exploited to perform arbitrary reads and writes in the kernel memory.
Security researchers have created a proof-of-concept (PoC) exploit to demonstrate the exploitation of CVE-2023-32233, and it will be published along with complete details about the exploitation techniques on Monday, May 15th, 2023.
The researchers who discovered the problem and reported it to the Linux kernel team have developed a PoC that allows unprivileged local users to start a root shell on impacted systems. The exploit will be published to comply with the linux-distros list policy, which requires the exploit to be published within 7 days from the advisory.
To exploit the vulnerability, the attacker first requires local access to a Linux device.
A Linux kernel source code commit was submitted to address the problem by engineer Pablo Neira Ayuso, introducing two functions that manage the lifecycle of anonymous sets in the Netfilter nf_tables subsystem. The fix prevents memory corruption and the possibility of attackers exploiting the use-after-free issue to escalate their privileges to root level by properly managing the activation and deactivation of anonymous sets and preventing further updates.
While gaining root-level privileges on Linux servers is a valuable tool for threat actors, a mitigating factor for CVE-2023-32233 is that remote attackers first must establish local access to a target system to exploit it.
