CVE-2023-3390: Use-after-free in Linux kernel's netfilter subsystem
First published: Wed Jun 07 2023(Updated: )
A flaw in the Linux Kernel found in the Netfilter nf_tables (net/netfilter/nf_tables_api.c). It can lead to use after free vulnerability in nftables when handling sets that are both named and anonymous in batch requests. Nftables allows creating a named set that can be also marked as anonymous by setting the NFT_SET_ANONYMOUS flag. When a rule referencing this malformed set is destroyed, the set gets destroyed as well, as the set is marked anonymous. It is possible to get nftables to destroy the rule, by mangling certain bytes within the rule's bytecode. As this is a named set, the set can be referenced in a different rule at which point it triggers a use after free. The caveat is that all of this needs to be performed in a batch transaction. This is because the reference of any set created in a batch transaction remains in the transactions list even after the set is destroyed. Reference: <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1240eb93f0616b21c675416516ff3d74798fdc97">https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1240eb93f0616b21c675416516ff3d74798fdc97</a>
Credit: cve-coordination@google.com cve-coordination@google.com cve-coordination@google.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel | <6.4 | 6.4 |
| Linux Kernel | >=3.16<4.14.322 | |
| Linux Kernel | >=4.15<4.19.291 | |
| Linux Kernel | >=4.20<5.4.251 | |
| Linux Kernel | >=5.5<5.10.188 | |
| Linux Kernel | >=5.11<5.15.118 | |
| Linux Kernel | >=5.16<6.1.35 | |
| Linux Kernel | >=6.2<6.3.9 | |
| netapp h300s | ||
| netapp h410c | ||
| netapp h410s | ||
| netapp h500s | ||
| netapp h700s | ||
| Linux Kernel | >=3.16<6.4 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.15-1 |
Remedy
If not needed, disable the ability for unprivileged users to create namespaces. To do this temporarily, do: sudo sysctl -w kernel.unprivileged_userns_clone=0 To disable across reboots, do: echo kernel.unprivileged_userns_clone=0 | \ sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1240eb93f0616b21c675416516ff3d74798fdc97
- https://kernel.dance/1240eb93f0616b21c675416516ff3d74798fdc97
- https://lists.debian.org/debian-lts-announce/2023/08/msg00001.html
- https://security.netapp.com/advisory/ntap-20230818-0004/
- https://www.debian.org/security/2023/dsa-5448
- https://www.debian.org/security/2023/dsa-5461
- https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html
- https://launchpad.net/bugs/cve/CVE-2023-3390
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1240eb93f0616b21c675416516ff3d74798fdc97
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2218699
- https://access.redhat.com/security/cve/CVE-2023-3390
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2218605
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2213260#c19
- https://cveform.mitre.org/
- https://access.redhat.com/security/cve/CVE-2023-3117
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2213260#c24
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2213260#c26
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2227020
- https://access.redhat.com/errata/RHSA-2023:4789
- https://access.redhat.com/errata/RHSA-2023:4888
- https://access.redhat.com/errata/RHSA-2023:4961
- https://access.redhat.com/errata/RHSA-2023:4962
- https://access.redhat.com/errata/RHSA-2023:4967
- https://access.redhat.com/errata/RHSA-2023:5091
- https://access.redhat.com/errata/RHSA-2023:5093
- https://access.redhat.com/errata/RHSA-2023:5069
- https://access.redhat.com/errata/RHSA-2023:5221
- https://access.redhat.com/errata/RHSA-2023:5238
- https://access.redhat.com/errata/RHSA-2023:5235
- https://access.redhat.com/errata/RHSA-2023:5255
- https://access.redhat.com/errata/RHSA-2023:5244
- https://access.redhat.com/errata/RHSA-2024:1250
- https://access.redhat.com/errata/RHSA-2024:1253
- https://access.redhat.com/errata/RHSA-2024:1268
- https://access.redhat.com/errata/RHSA-2024:1269
- https://access.redhat.com/errata/RHSA-2024:1278
- https://access.redhat.com/errata/RHSA-2024:1306
- https://bugzilla.redhat.com/show_bug.cgi?id=2213260
- https://chromereleases.googleblog.com/2023/08/stable-channel-update-for-chromeos_25.html (Advisory)
- https://git.kernel.org/linus/1240eb93f0616b21c675416516ff3d74798fdc97
- https://kernel.dance/#1240eb93f0616b21c675416516ff3d74798fdc97
- https://security-tracker.debian.org/tracker/CVE-2023-3390
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3390
- https://nvd.nist.gov/vuln/detail/CVE-2023-3390
- https://ubuntu.com/security/CVE-2023-3390
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2023-4369
- CVE-2023-20593
- CVE-2023-4211
- CVE-2023-4128
- CVE-2023-4147
- CVE-2023-32804
- CVE-2022-40982
- CVE-2023-2312
- CVE-2023-4349
- CVE-2023-4350
- CVE-2023-4351
- CVE-2023-4352
- CVE-2023-4353
- CVE-2023-4354
- CVE-2023-4355
- CVE-2023-4356
- CVE-2023-4357
- CVE-2023-4358
- CVE-2023-4359
- CVE-2023-4360
- CVE-2023-4361
- CVE-2023-4362
- CVE-2023-4363
- CVE-2023-4364
- CVE-2023-4365
- CVE-2023-4366
- CVE-2023-4367
- CVE-2023-4368
- CVE-2023-21264
- CVE-2020-29374
Frequently Asked Questions
What is the severity of CVE-2023-3390?
CVE-2023-3390 has a medium severity rating, indicating a significant impact on affected systems.
How do I fix CVE-2023-3390?
To fix CVE-2023-3390, update your Linux Kernel to the latest versions specified in your distribution's release notes.
Which systems are affected by CVE-2023-3390?
CVE-2023-3390 affects various versions of the Linux Kernel, specifically those ranging from 3.16 to 6.4.
What type of vulnerability is CVE-2023-3390?
CVE-2023-3390 is a use-after-free vulnerability specifically occurring in the Netfilter nf_tables implementation.
Can CVE-2023-3390 lead to remote code execution?
Yes, CVE-2023-3390 could potentially allow an attacker to execute arbitrary code on affected systems.
- agent/type
- agent/first-publish-date
- agent/author
- collector/launchpad-cve
- source/Launchpad
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/title
- collector/chrome-releases
- agent/severity
- agent/remedy
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-3390
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- agent/last-modified-date
- agent/trending
- agent/description
- agent/event
- agent/source
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-api
- agent/tags
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- package-manager/redhat
- vendor/linux
- canonical/linux kernel
- version/linux kernel/3.16
- version/linux kernel/4.15
- version/linux kernel/4.20
- version/linux kernel/5.5
- version/linux kernel/5.11
- version/linux kernel/5.16
- version/linux kernel/6.2
- vendor/netapp
- canonical/netapp h300s
- canonical/netapp h410c
- canonical/netapp h410s
- canonical/netapp h500s
- canonical/netapp h700s
- package-manager/debian