OSG-SEC-2023-05-17 HIGH Flaw in Linux kernel Netfilter module

Dear OSG Security Contacts,

A use-after-free vulnerability was found in the Netfilter subsystem of the Linux kernel when processing batch requests to update nf_tables configuration as reported in CVE-2023-32233. This vulnerability can be abused to perform arbitrary reads and writes in kernel memory. [1]

IMPACTED VERSIONS:

Linux kernel version up through 6.3.1 [2]

RHEL 7, 8, and 9 based distributions are all affected [1]

WHAT ARE THE VULNERABILITIES:

A local user with 'CAP_NET_ADMIN' capability could use this flaw to crash the system or potentially escalate their privileges on the system. [3] On Red Hat Enterprise Linux, local unprivileged users can exploit unprivileged user namespaces with network namespaces to grant themselves this capability.

WHAT YOU SHOULD DO:

Update to a fixed kernel version when one is available for your distribution.

There are two recommended mitigation options:

1) This flaw can be mitigated by preventing the affected netfilter (nf_tables) kernel module from being loaded. For instructions on how to blacklist a kernel module, please see [4].

2) If the module cannot be disabled, the mitigation is to disable either network namespaces or user namespaces. The OSG Security team recommends permanently disabling network namespaces when user namespaces are needed for containers, as detailed in the OSG Apptainer installation instructions [5].

REFERENCES

[1] https://access.redhat.com/security/cve/CVE-2023-32233

[2] https://nvd.nist.gov/vuln/detail/CVE-2023-32233

[3] https://bugzilla.redhat.com/show_bug.cgi?id=2196105

[4] https://access.redhat.com/solutions/41278

[5] https://osg-htc.org/docs/worker-node/install-apptainer/#enabling-unprivileged-apptainer

Please contact the OSG security team at [email protected] if you have any questions or concerns. OSG Security Team