Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk
Netfilter nf_tables use-after-free flaw
Date: 2023-05-11
Updated: 2023-06-12, 2023-06-22, 2023-09-15, 2023-10-19
Affected software and risk
==========================
CRITICAL risk vulnerability concerning Linux kernel Netfilter nf_tables
Package : Linux kernel Netfilter nf_tables
CVE ID : CVE-2023-32233
CVSS Score : 7.8 [R 1]
A use-after-free flaw was found in the Netfilter nf_tables
(net/netfilter/nf_tables_api.c) in the Linux kernel.
In order to exploit this flaw, the attacker must have CAP_NET_ADMIN
privileges and be able to manipulate netfilter entries.
This vulnerability may lead to arbitrary code execution, and kernel
information leak issue. [R 1]
Actions required/recommended
============================
Sites should urgently consider mitigation if they have not done so already.
**UPDATE 2023-06-22**
This is now fixed for RHEL9, and hopefully for derivatives shortly [R 1]
**UPDATE 2023-06-13**
This is now fixed for RHEL8 and derivatives. [R 1]
Sites running RHEL8 and RHEL9 and derivatives should update, urgently if
they do not have mitigation in place.
**UPDATE 2023-10-19** This is now fixed for RHEL7 and derivatives.
Component installation information
==================================
Sites running RHEL should see [R 1]
Sites running CentOS should also see [R 1] and [R 2]
Sites running Scientific Linux should see [R 3]
Sites running Debian should see [R 4]
Sites running Ubuntu should see [R 5]
Sites running RockyLinux should see [R 6]
Sites running Almalinux should see [R 7]
Mitigation
==========
Disabling (some of the) linux namespaces may fully or partially mitigate
this vulnerability.
In particular, this vulnerability appears to be mitigated provided
unprivileged network namespaces are NOT enabled.
Best practices on namespaces and containers is provided on the
CSIRT webpage [R 8]
Note that both Red Hat and Ubuntu recommend Mitigation.
See [R 1], [R 5]
TLP and URL
===========
** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for
distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2023-32233
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 99]
References
==========
[R 1] https://access.redhat.com/security/cve/cve-2023-32233
[R 2] https://lists.centos.org/pipermail/centos-announce/
[R 3] https://www.scientificlinux.org/category/sl-errata/
[R 4] https://security-tracker.debian.org/tracker/CVE-2023-32233
[R 5] https://ubuntu.com/security/CVE-2023-32233
[R 6] https://errata.build.resf.org/
[R 7] https://errata.almalinux.org/
[R 8] https://csirt.egi.eu/2022/10/19/linux-namespaces-and-containers/
[R 99] https://documents.egi.eu/public/ShowDocument?docid=3867
Credit
======
SVG was alerted to this vulnerability by Torsten Harenberg
Timeline
========
Yyyy-mm-dd [EGI-SVG-2023-CVE-2023-32233]
2023-05-11 SVG alerted to this issue by Torsten Harenberg
2023-05-11 Acknowledgement from the EGI SVG to the reporter
2023-05-11 EGI SVG Risk Assessment completed
2023-05-11 Advisory/heads up drafted.
2023-05-11 Advisory/heads up sent to sites
2023-06-13 Update as fixed for RHEL8 and derivatives
2023-06-22 Update as fixed for RHEL9
2023-09-15 Advisory placed on advisories.egi.eu
2023-10-19 Update as fixed for RHEL 7
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 99] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
-----------------------------
This advisory is subject to the Creative commons licence
https://creativecommons.org/licenses/by/4.0/
and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited.
-----------------------------
On behalf of the EGI SVG,