A critical vulnerability in the Linux kernel’s netfilter ipset subsystem has been discovered that allows local attackers to escalate privileges to root-level access.
The flaw, identified in the bitmap:ip implementation within the ipset framework, stems from insufficient range validation when processing CIDR notation in IP address ranges.
This missing bounds check enables attackers to trigger out-of-bounds memory writes in kernel space, ultimately providing a pathway to full system compromise.
Key Takeaways
1. Critical vulnerability in Linux kernel’s netfilter ipset subsystem allows attackers to trigger out-of-bounds memory writes.
2. Attackers with local access can exploit this flaw to gain root privileges.
3. Immediately update to patched kernel versions.
The vulnerability affects kernel versions up to 6.12.2 and has been addressed through a recently released patch that implements proper range validation across all code paths.
Linux Kernel Netfilter Vulnerability
SSD Secure Disclosure reports that the security flaw resides in the bitmap_ip_uadt function within the net/netfilter/ipset/ip_set_bitmap_ip.c file, where insufficient validation occurs when processing CIDR-based IP ranges.
The ipset subsystem, designed for high-performance packet filtering in conjunction with iptables and nftables, uses bitmap data structures to efficiently manage sets of IPv4 addresses.
When users specify IP ranges using CIDR notation through the netfilter netlink interface, the vulnerable code path fails to verify that the calculated IP range falls within the allocated bitmap boundaries.
The root cause emerges when the tb[IPSET_ATTR_CIDR] attribute is present but tb[IPSET_ATTR_IP_TO] is absent.
In this scenario, the ip_set_mask_from_to function calculates new ip and ip_to values based on the CIDR mask, but unlike the explicit range case, no validation ensures the resulting ip value doesn’t underflow below map->first_ip.
This creates a situation where crafted CIDR values can cause integer underflow, leading to out-of-bounds array access when the calculated index is truncated from u32 to u16 during bitmap operations.
Exploitation of this vulnerability requires local access but no special privileges, making it particularly dangerous in multi-user environments or containerized systems.
Attackers can leverage the netfilter netlink socket interface to send maliciously crafted ipset commands that trigger the vulnerable code path.
By carefully constructing bitmap:ip set creation and addition operations with specific CIDR values, attackers can achieve controlled out-of-bounds writes beyond the allocated bitmap memory region.
The exploitation technique involves creating multiple bitmap:ip objects to establish a predictable memory layout, then using the out-of-bounds write primitive to overwrite critical kernel data structures.
Specifically, attackers can modify the members pointer of adjacent bitmap_ip objects, transforming the limited write primitive into arbitrary memory write capabilities.
The proof-of-concept demonstrates overwriting the core_pattern kernel parameter, which controls how core dumps are processed, allowing attackers to execute arbitrary commands with root privileges when triggering a segmentation fault.
The vulnerability’s impact extends beyond simple privilege escalation, as successful exploitation grants attackers complete control over the affected system.
This includes the ability to install rootkits, modify system configurations, access sensitive data, and potentially pivot to other systems on the network.
Organizations running affected kernel versions should prioritize applying the available patch, which addresses the issue by implementing a comprehensive range validation that checks both ip < map->first_ip and ip_to > map->last_ip conditions regardless of how the IP range is specified.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source: cybersecuritynews.com
