A significant security flaw has been identified in the Linux kernel’s nftables subsystem, designated as CVE-2024-26809. This vulnerability, rooted in the kernel’s netfilter infrastructure, poses a substantial risk by allowing local attackers to escalate their privileges to root level through a sophisticated double-free attack. Security researchers, notably the user conlonialC, have released a Proof-of-Concept (PoC) exploit demonstrating the potential for this vulnerability to be weaponized, emphasizing the critical need for system administrators to implement available patches promptly.
Technical Overview of CVE-2024-26809
The nftables subsystem was introduced to replace legacy packet filtering frameworks like iptables and ip6tables, offering a more streamlined and flexible approach to network packet filtering. It utilizes various core kernel components, including the `nft_set_pipapo` structure, to manage sets of filtering rules efficiently.
The vulnerability specifically resides in the `nft_pipapo_destroy()` function within the kernel’s `net/netfilter` module. Under certain conditions, this function may attempt to free the same memory region twice—a classic double-free scenario—when a set is marked as dirty and contains overlapping elements in both its match and clone representations.
The vulnerable code path can be summarized as follows:
“`c
if (set->flags & NFT_SET_CONCAT) {
nft_set_pipapo_match_destroy(set);
if (set->flags & NFT_SET_MAP)
nft_set_pipapo_clone_destroy(set);
}
“`
In this sequence, if the set is marked as dirty (`NFT_SET_CONCAT` flag), the function `nft_set_pipapo_match_destroy()` may be invoked twice on elements that exist in both match and clone, leading to a double-free condition.
Exploitation Process
The released PoC exploit, authored by conlonialC, meticulously demonstrates how to leverage this vulnerability for local privilege escalation. The attack involves several key steps:
1. Creation of a Pipapo Set: The attacker creates a pipapo set and inserts multiple elements to ensure the set is marked as dirty.
2. Triggering Set Destruction: The attacker then triggers the destruction of the set, causing the kernel to free the same set elements twice. This double-free corrupts the kernel’s heap, specifically targeting the `kmalloc-256` object cache, which is commonly used for kernel object allocations.
3. Heap Manipulation: By carefully orchestrating heap allocations and deallocations, the exploit achieves several advanced objectives:
– Overlapping nftables objects in memory to enable address leaks.
– Hijacking function pointers, such as `expr->ops->dump`, to redirect kernel execution flow.
– Executing a Return-Oriented Programming (ROP) chain to escalate privileges and spawn a root shell.
A crucial part of the exploit involves manipulating the kernel’s internal data structures to gain control over the instruction pointer (RIP). The attacker crafts a fake `nft_expr` object and uses a ROP gadget to pivot the stack, ultimately executing arbitrary code in kernel context. The exploit’s reliability is enhanced by its ability to reclaim freed heap chunks and leak kernel addresses, effectively bypassing common mitigations.
Affected Versions
CVE-2024-26809 affects Linux kernel versions 5.15.54 and later, including the 6.1 and 6.6 LTS branches. The vulnerability has been addressed in recent kernel updates, with distributions such as Debian, Ubuntu, and SUSE releasing patches for all supported versions. The fix ensures that elements are only released from the clone path during set destruction, preventing double-free conditions.
Mitigation Strategies
System administrators are strongly advised to take the following actions to mitigate the risk associated with CVE-2024-26809:
1. Apply Security Updates: Ensure that all systems are updated to the latest kernel versions that include the patch for this vulnerability. Regularly check for and apply security updates provided by your Linux distribution.
2. Restrict Unprivileged User Namespaces: If possible, disable unprivileged user namespaces to limit the attack surface. This can be achieved by setting the `kernel.unprivileged_userns_clone` parameter to 0:
“`bash
sysctl -w kernel.unprivileged_userns_clone=0
“`
Note that this may affect applications that rely on unprivileged user namespaces.
3. Monitor System Logs: Implement monitoring to detect unusual activities that may indicate exploitation attempts, such as unexpected privilege escalations or crashes related to the netfilter subsystem.
4. Limit Local Access: Restrict local access to trusted users and minimize the number of users with shell access to reduce the risk of local exploitation.
Conclusion
The discovery and public release of a PoC exploit for CVE-2024-26809 highlight the critical importance of proactive security measures in maintaining system integrity. By understanding the technical details of this vulnerability and implementing the recommended mitigation strategies, system administrators can effectively protect their systems from potential exploitation. Prompt action is essential to safeguard against the risks posed by this and similar vulnerabilities in the Linux kernel.
