CVE-2024-0193 Overview
A use-after-free vulnerability was discovered in the netfilter subsystem of the Linux kernel. The flaw occurs when the catchall element is garbage-collected during the removal of a pipapo set, causing the element to be deactivated twice. This double deactivation triggers a use-after-free condition on NFT_CHAIN or NFT_OBJECT objects, enabling a local unprivileged user with CAP_NET_ADMIN capability to escalate their privileges on the system.
Critical Impact
Local privilege escalation allowing users with CAP_NET_ADMIN capability to gain elevated system privileges through memory corruption in the kernel's netfilter subsystem.
Affected Products
- Linux Kernel (all affected versions)
- Red Hat Enterprise Linux 9.0
Discovery Timeline
- 2024-01-02 - CVE-2024-0193 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-0193
Vulnerability Analysis
This vulnerability (CWE-416: Use After Free) resides in the Linux kernel's netfilter subsystem, specifically within the nftables implementation. The issue stems from improper handling of catchall elements during garbage collection when a pipapo (PIle PAcket POlicies) set is being removed from the system.
The pipapo set type in nftables is used for efficient packet classification and policy matching. When a pipapo set containing catchall elements is removed, a race condition in the garbage collection process can cause the catchall element to be deactivated twice. This double deactivation corrupts the internal reference counting mechanism, leaving dangling pointers to NFT_CHAIN or NFT_OBJECT structures.
An attacker with CAP_NET_ADMIN capability—which can be obtained through unprivileged user namespaces on many default Linux configurations—can trigger this condition to achieve use-after-free access to kernel memory. By carefully timing operations and controlling memory allocations, an attacker could potentially overwrite critical kernel data structures to escalate privileges.
Root Cause
The root cause is a synchronization flaw in the garbage collection logic for pipapo set elements. When a pipapo set is destroyed, the cleanup code does not properly coordinate with the garbage collector, allowing the catchall element deactivation to occur twice. The first deactivation frees the associated memory, while the second deactivation operates on the already-freed memory, creating a classic use-after-free scenario.
The vulnerability exists because:
- The catchall element lifecycle is not properly tracked during set removal
- No locking mechanism prevents concurrent deactivation attempts
- Reference counting for NFT_CHAIN and NFT_OBJECT structures can be corrupted
Attack Vector
The attack requires local access to the system with CAP_NET_ADMIN capability. On many Linux distributions, unprivileged users can obtain this capability within user namespaces, significantly lowering the barrier to exploitation. The attacker must:
- Create an unprivileged user namespace to obtain CAP_NET_ADMIN
- Set up an nftables pipapo set with catchall elements
- Trigger set removal while manipulating garbage collection timing
- Exploit the resulting use-after-free to corrupt kernel memory
- Escalate privileges through controlled memory corruption
The vulnerability mechanism involves memory management issues in the netfilter subsystem where improper synchronization between set removal and garbage collection creates a race condition. For detailed technical analysis, refer to Red Hat Bug Report #2255653.
Detection Methods for CVE-2024-0193
Indicators of Compromise
- Unexpected processes running with elevated privileges after user namespace creation
- Kernel log messages indicating use-after-free or memory corruption in netfilter/nftables subsystem
- Suspicious nftables rule or set manipulation activity from unprivileged users
- Process crashes or kernel oops messages related to nft_pipapo functions
Detection Strategies
- Monitor for creation of user namespaces combined with nftables operations using audit rules
- Implement kernel integrity monitoring to detect unauthorized privilege changes
- Deploy endpoint detection and response (EDR) solutions capable of monitoring kernel-level operations
- Configure auditd rules to track CAP_NET_ADMIN capability usage and nftables operations
Monitoring Recommendations
- Enable kernel audit logging for netfilter operations using auditctl -a always,exit -F arch=b64 -S *nftables*
- Monitor /var/log/kern.log and dmesg output for memory corruption warnings
- Track user namespace creation events, especially when followed by network administration operations
- Implement real-time alerting for privilege escalation indicators
How to Mitigate CVE-2024-0193
Immediate Actions Required
- Apply the latest kernel security updates from your Linux distribution
- Restrict user namespace creation if not required using sysctl kernel.unprivileged_userns_clone=0
- Limit CAP_NET_ADMIN capability assignment to trusted users and processes
- Consider disabling nftables if iptables can be used as an alternative
Patch Information
Red Hat has released security advisories addressing this vulnerability:
- RHSA-2024:1018 - Kernel security update
- RHSA-2024:1019 - Kernel security update
- RHSA-2024:1248 - Kernel security update
- RHSA-2024:2094 - Kernel security update
- RHSA-2024:4412 - Kernel security update
- RHSA-2024:4415 - Kernel security update
For complete vulnerability details, see the Red Hat CVE-2024-0193 Information page.
Workarounds
- Disable unprivileged user namespaces to prevent capability acquisition by regular users
- Apply mandatory access control policies (SELinux/AppArmor) to restrict nftables access
- Use network namespaces isolation to limit exposure of vulnerable kernel functionality
- Implement kernel module blacklisting for nf_tables if the functionality is not required
# Disable unprivileged user namespaces (temporary)
sysctl -w kernel.unprivileged_userns_clone=0
# Make the change persistent across reboots
echo "kernel.unprivileged_userns_clone = 0" >> /etc/sysctl.d/99-disable-userns.conf
# Verify the setting is applied
sysctl kernel.unprivileged_userns_clone
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
