Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 12 Jan 2024 03:53:53 +0300
From: Cengiz Can <cengiz.can@...onical.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-6040: Linux Kernel netfilter out-of-bounds access

An out-of-bounds access vulnerability involving netfilter was reported
and fixed as:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1082dd31fe461d482d69da2a8eccfeb7bf07ac2

While creating a new netfilter table, lack of a safeguard against
invalid nf_tables family (pf) values within `nf_tables_newtable`
function enables an attacker to achieve out-of-bounds access.

This out-of-bounds access can occur in two locations:

1) `xt_find_target` function in `x_tables.c` can dereference the `xt`
array without a boundary check. This allows an attacker to fake an
`xt_af` data and achieve further ends.

2) `nf_logger_find_get` function in `nf_log.c` uses `pf` as an index on
`loggers` global which consists of `struct nf_logger` members. An
attacker can find a suitable global data to fake as `struct nf_logger`
and use the invalid `pf` to dereference adjacent global data.

Disabling unprivileged user namespaces mitigates the issue.

This issue was reported to Ubuntu Security directly by Lin Ma from Ant
Security Light-Year Lab and has been assigned CVE-2023-6040.

It affects upstream stable 5.4.y, 5.10.y, 5.15.y. Those require the fix
to be applied. Any upstream kernel newer than 5.18-rc1 should be safe.

Cengiz Can

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.