Part01
Vulnerability Overview
A critical vulnerability has been discovered in the ipset subsystem of the Linux kernel’s netfilter, allowing local attackers to escalate their privileges to root level. This vulnerability exists in the bitmap:ip implementation of the ipset framework, stemming from insufficient range validation when processing CIDR format IP address ranges. Due to the lack of boundary checks, attackers can trigger out-of-bounds memory writes in kernel space, ultimately gaining full control of the system.
Key Points
- The ipset subsystem of the Linux kernel netfilter contains a critical vulnerability that can trigger out-of-bounds memory writes.
- Attackers with local access can exploit this vulnerability to gain root privileges.
- Immediate updates to the patched kernel version are recommended.
Part02
Technical Details
This vulnerability affects kernel versions 6.12.2 and earlier, with the latest patch addressing the issue by implementing appropriate range validation across all code paths.According to the SSD security disclosure report, this security flaw is located in the bitmap_ip_uadt function within the net/netfilter/ipset/ip_set_bitmap_ip.c file. When specifying IP ranges using CIDR notation through the netfilter netlink interface, the vulnerable code path fails to verify whether the calculated IP range is within the allocated bitmap boundaries.
The root cause is that when the tb[IPSET_ATTR_CIDR] attribute is present and tb[IPSET_ATTR_IP_TO] is missing, the ip_set_mask_from_to function calculates new ip and ip_to values based on the CIDR mask, but unlike explicit ranges, there is no validation to ensure the resulting ip value is not less than map->first_ip. A carefully crafted CIDR value can lead to integer underflow, causing out-of-bounds array access when the calculated index is truncated from u32 to u16 during bitmap operations.Part03
Exploitation and Impact
Exploiting this vulnerability requires local access but does not require special privileges, making it particularly dangerous in multi-user environments or containerized systems. Attackers can trigger the vulnerable code path by sending maliciously crafted ipset commands through the netfilter netlink socket interface.
The attack technique involves creating multiple bitmap:ip objects to establish a predictable memory layout, then using out-of-bounds write primitives to overwrite critical kernel data structures. Specifically, attackers can modify the members pointer of adjacent bitmap_ip objects, turning limited write primitives into arbitrary memory write capabilities. Proof of concept demonstrates how to overwrite the core_pattern kernel parameter that controls core dump handling, allowing attackers to execute arbitrary commands with root privileges when triggering a segmentation fault.Part04
Mitigation Recommendations
The impact of this vulnerability is not limited to simple privilege escalation; successful exploitation will grant attackers complete control over the affected system, including the ability to install rootkits, modify system configurations, access sensitive data, and potentially lateral movement to other systems on the network.
Organizations running affected kernel versions should prioritize applying available patches, which resolve the issue by implementing comprehensive range validation that checks the conditions ip < map->first_ip and ip_to > map->last_ip, regardless of how the IP range is specified.
References:
Linux Kernel netfilter Vulnerability Let Attackers Escalate Privileges
https://cybersecuritynews.com/linux-kernel-netfilter-vulnerability/
Source: FreeBuf
The technologies, ideas, and tools discussed in articles published or reprinted by Heibai Zhidao are for educational exchange purposes only, and no one may use them for illegal or profit-making purposes; otherwise, the consequences will be borne by the individual!
If there is any infringement, please contact us to delete the article.
END