CVE-2023-3777: Use-after-free in Linux kernel's netfilter: nf_tables component
First published: Wed Sep 06 2023(Updated: )
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. When nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain's owner rule can also release the objects in certain circumstances. We recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.
Credit: cve-coordination@google.com cve-coordination@google.com cve-coordination@google.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Kernel | <6.5 | 6.5 |
| Linux Kernel | <5.9.0 | |
| Linux Kernel | >=6.0<6.5 | |
| Debian GNU/Linux | =12.0 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.13-1 | |
| Linux Kernel | >=5.9<5.10.188 | |
| Linux Kernel | >=5.11<5.15.123 | |
| Linux Kernel | >=5.16<6.1.42 | |
| Linux Kernel | >=6.2<6.4.7 | |
| Debian | =12.0 | |
| Ubuntu | =14.04 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =20.04 | |
| Ubuntu | =22.04 |
Remedy
If not needed, disable the ability for unprivileged users to create namespaces. To do this temporarily, do: sudo sysctl -w kernel.unprivileged_userns_clone=0 To disable across reboots, do: echo kernel.unprivileged_userns_clone=0 | \ sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8
- https://kernel.dance/6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8
- https://www.debian.org/security/2023/dsa-5492
- http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html
- https://launchpad.net/bugs/cve/CVE-2023-3777
- https://access.redhat.com/errata/RHSA-2024:0431
- https://access.redhat.com/errata/RHSA-2024:0432
- https://access.redhat.com/errata/RHSA-2024:0461
- https://access.redhat.com/errata/RHSA-2024:0439
- https://access.redhat.com/errata/RHSA-2024:0448
- https://bugzilla.redhat.com/show_bug.cgi?id=2237750
- https://git.kernel.org/linus/6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8
- https://security-tracker.debian.org/tracker/CVE-2023-3777
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3777
- https://nvd.nist.gov/vuln/detail/CVE-2023-3777
- https://ubuntu.com/security/CVE-2023-3777
Frequently Asked Questions
What is the severity of CVE-2023-3777?
CVE-2023-3777 is classified as a high-severity vulnerability due to its potential for local privilege escalation.
How do I fix CVE-2023-3777?
To mitigate CVE-2023-3777, update the kernel to a version higher than 6.5 or apply the latest patches provided by your distribution.
What systems are affected by CVE-2023-3777?
CVE-2023-3777 affects multiple versions of the Linux kernel, specifically versions between 5.9 and 6.5, including various distributions such as Debian and Ubuntu.
Can CVE-2023-3777 be exploited remotely?
CVE-2023-3777 is a local privilege escalation vulnerability and cannot be exploited remotely, requiring local access to the affected system.
What components of the Linux kernel does CVE-2023-3777 involve?
CVE-2023-3777 involves a use-after-free vulnerability in the Linux kernel's netfilter component, specifically in the nf_tables functionality.
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/title
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/references
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-3777
- agent/software-canonical-lookup
- agent/trending
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/last-modified-date
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- package-manager/redhat
- vendor/linux
- canonical/linux kernel
- version/linux kernel/6.0
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/12.0
- package-manager/debian
- version/linux kernel/5.9
- version/linux kernel/5.11
- version/linux kernel/5.16
- version/linux kernel/6.2
- canonical/debian
- version/debian/12.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/14.04
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/20.04
- version/ubuntu/22.04