A few days ago the news broke that Two vulnerabilities were detected in the subsystems of the linux Kernel, Netfilter and io_uring, which allow a local user to elevate their privileges on the system.
The first one is vulnerability. (CVE-2023-32233) that was detected in the Netfilter subsystem and caused by use-after-free memory access in the nf_tables module, which ensures the operation of the nftables packet filter.
This bug is because netfilter nf_tables allows updating its configuration for batch requests that group together multiple basic operations in atomic transactions.
The problem has been reproduced in various versions of the Linux kernel, including Linux 6.3.1 (current stable) and the vulnerability can be exploited by sending specially crafted requests to update the nftables configuration. It is mentioned that the attack requires access to nftables, which can be obtained in a separate network namespace if you have the CLONE_NEWUSER, CLONE_NEWNS, or CLONE_NEWNET rights (for example, if you can run an isolated container).
On this bug, the researcher who identified the problem promised to postpone for a week the publication of detailed information and an example of a working exploit that provides a root shell.
In a specific scenario, an invalid batch request might contain an operation that implicitly deletes an existing nft anonymous set followed by another operation that attempts to act on the same anonymous nft set after it is deleted. In the above scenario, an example of the above operation is deleting an existing nft rule that uses an nft anonymous set. And an example of the latter operation is an attempt to remove an element from that nft anonymous array after the array is alternately removed, the latter operation might even attempt to explicitly remove that nft anonymous array again.
As already mentioned at the beginning, this was several days ago and the exploit and the information was already disclosed. The exploit as well as its details can be found at the following link.
The second fault detected, was the vulnerability (CVE-2023-2598) in the implementation of the asynchronous I/O interface io_uring included in the Linux kernel since version 5.1.
The problem is caused by a bug in the io_sqe_buffer_register function, which allows access to physical memory outside the bounds of a statically allocated buffer. The issue appears only in the 6.3 branch and will be fixed in the next 6.3.2 update.
It is mentioned that the idea behind the original commit is that instead of splitting large pages that are buffered into individual bvec entries, you can have a single bvec entry for all buffered parts of the page. Specifically, if all pages in the buffer map use the first page structure and buffer length in a single bvec entry instead of mapping each page individually.
So bvec will extend well beyond the single page that it's actually allowed to touch. Later, IORING_OP_READ_FIXED and IORING_OP_WRITE_FIXED allow us to read and write to the buffer (ie, the memory pointed to by the bvec) at will. This allows read/write access to the physical memory behind the only page that we actually have.
The vulnerability publication mentions the error reproduction steps:
1. Create a memfd
2. Error a single page in that file descriptor
3. Use MAP_FIXED to map this page repeatedly, to consecutive locations
4. Register the entire region you just filled with that page as
a fixed buffer with IORING_REGISTER_BUFFERS
5. Use IORING_OP_WRITE_FIXED to write the buffer to some other file
(OOB read) or IORING_OP_READ_FIXED to read data in the buffer (
OOB write).
Finally it is worth mentioning that is already available a working exploit prototype (CVE-2023-2598) for testing, allowing you to run code with kernel privileges.
Vulnerability (CVE-2023-32233) It was fixed in the 6.4-rc update and you can follow the vulnerability fix in distributions on the pages: Debian, Ubuntu, Gentoo, RHEL, Fedora, SUSE/openSUSE y Arch.