Cybersecurity blog header

CVE-2023-32233: Privilege escalation in Linux Kernel due to a Netfilter nf_tables vulnerability

CVE-2023-32233 vulnerability was reported by researchers Patryk Sondej and Piotr Krysiuk

Recently, a user-after-free vulnerability (CVE-2023-32233) has been published that would allow unprivileged local users to obtain root permissions on Linux Kernel versions 6.3.1 and earlier.

The issue, which was reported by researchers Patryk Sondej and Piotr Krysiuk, is due to improper handling of anonymous sets in the Netfilter nf_tables module that can be exploited to execute read and write actions in the kernel memory space.

It should be noted that the affected nf_tables module is enabled by default in many Linux distributions, so the number of potentially affected systems is high.

Although the vulnerability was reported on 8 May 2023, functional proofs of concept are being released in public repositories in the recent days, and show successful execution of the associated exploits:

CVE-2023-32233 main characteristics

The main characteristics of the CVE-2023-32233 vulnerability are detailed below:

  • CVE identifier: CVE-2023-32233.
  • Published date: 08/05/2023.
  • Affected software: Linux Kernel.
  • CVSS Score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8 High).
  • Affected versions: 6.3.1 y earlier.
  • Exploitation requirements: It is required to have CAP_NET_ADMIN privileges and be able to manipulate netfilter entries.

CVE-2023-32233 mitigation

The main solution is to urgently upgrade the Linux kernel to the new 6.3.2 or later versions that fix this vulnerability.

Other workarounds include:

  • Prevent the affected Netfilter module from running, as specified, for example, in Red Hat’s guides: https://access.redhat.com/solutions/41278
  • If it is not possible to prevent the Netfilter module from running, it’s possible to disable the creation of user namespaces. The following are two examples for applying this action on Red Hat and Debian distributions respectively:
    • Red Hat:

# echo “user.max_user_namespaces=0” > /etc/sysctl.d/userns.conf

# sysctl -p /etc/sysctl.d/userns.conf

    • Debian

# sysctl -w kernel.unprivileged_userns_clone=0

References