Bug 1213061 (CVE-2023-31248)

Summary: VUL-0: CVE-2023-31248: kernel: nf_tables UAF when using nft_chain_lookup_byid
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: meissner, mhocko, mkubecek, mpdesouza, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/371263/
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1221383
Whiteboard: CVSSv3.1:SUSE:CVE-2023-31248:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-07-06 07:40:15 UTC 
CVE-2023-31248

Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability;
`nft_chain_lookup_byid()` failed to check whether a chain was active and
CAP_NET_ADMIN is in any user or network namespace

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-31248
https://www.cve.org/CVERecord?id=CVE-2023-31248
http://www.openwall.com/lists/oss-security/2023/07/05/2
https://seclists.org/oss-sec/2023/q3/5
https://lore.kernel.org/netfilter-devel/20230705121627.GC19489@breakpoint.cc/T/
Comment 3 Michal Kubeček 2023-07-20 17:32:54 UTC 
The fix is in mainline now as commit 515ad530795c ("netfilter: nf_tables:
do not ignore genmask when looking up chain by id") and has been backported
into 6.4.4 stable update.

AFAICS the issue was introduced in 5.9-rc1 by commit 837830a4b439
("netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute") which has been
also backported to SLE15-SP3-LTSS (but not other 5.3 or older branches).
Therefore only SLE15-SP4 and SLE15-SP3-LTSS should need a backport.
Comment 4 Michal Kubeček 2023-07-20 20:25:05 UTC 
  introduced      837830a4b439    5.9-rc1
  fixed           515ad530795c    6.5-rc2

The fix has been submitted to all relevant branches:

  stable          6.4.4
  SLE15-SP4       2b5600c20d9f
  SLE15-SP3-LTSS  414921d41310

Reassigning back to security team.
Comment 17 Maintenance Automation 2023-08-03 09:40:42 UTC 
SUSE-SU-2023:3172-1: An update that solves seven vulnerabilities, contains two features and has 25 fixes can now be installed.

Category: security (important)
Bug References: 1150305, 1193629, 1194869, 1207894, 1208788, 1211243, 1211867, 1212256, 1212301, 1212525, 1212846, 1212905, 1213059, 1213061, 1213205, 1213206, 1213226, 1213233, 1213245, 1213247, 1213252, 1213258, 1213259, 1213263, 1213264, 1213286, 1213493, 1213523, 1213524, 1213533, 1213543, 1213705
CVE References: CVE-2023-20593, CVE-2023-2985, CVE-2023-3117, CVE-2023-31248, CVE-2023-3390, CVE-2023-35001, CVE-2023-3812
Jira References: PED-4718, PED-4758
Sources used:
openSUSE Leap 15.5 (src): kernel-obs-qa-5.14.21-150500.55.12.1, kernel-source-5.14.21-150500.55.12.1, kernel-obs-build-5.14.21-150500.55.12.1, kernel-livepatch-SLE15-SP5_Update_2-1-150500.11.3.2, kernel-default-base-5.14.21-150500.55.12.1.150500.6.4.2, kernel-syms-5.14.21-150500.55.12.1
Basesystem Module 15-SP5 (src): kernel-source-5.14.21-150500.55.12.1, kernel-default-base-5.14.21-150500.55.12.1.150500.6.4.2
Development Tools Module 15-SP5 (src): kernel-obs-build-5.14.21-150500.55.12.1, kernel-source-5.14.21-150500.55.12.1, kernel-syms-5.14.21-150500.55.12.1
SUSE Linux Enterprise Live Patching 15-SP5 (src): kernel-livepatch-SLE15-SP5_Update_2-1-150500.11.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Maintenance Automation 2023-08-03 09:41:02 UTC 
SUSE-SU-2023:3171-1: An update that solves seven vulnerabilities and has 70 fixes can now be installed.

Category: security (important)
Bug References: 1150305, 1193629, 1194869, 1207894, 1208788, 1210565, 1210584, 1210853, 1211243, 1211811, 1211867, 1212301, 1212846, 1212905, 1213010, 1213011, 1213012, 1213013, 1213014, 1213015, 1213016, 1213017, 1213018, 1213019, 1213020, 1213021, 1213024, 1213025, 1213032, 1213034, 1213035, 1213036, 1213037, 1213038, 1213039, 1213040, 1213041, 1213059, 1213061, 1213087, 1213088, 1213089, 1213090, 1213092, 1213093, 1213094, 1213095, 1213096, 1213098, 1213099, 1213100, 1213102, 1213103, 1213104, 1213105, 1213106, 1213107, 1213108, 1213109, 1213110, 1213111, 1213112, 1213113, 1213114, 1213134, 1213245, 1213247, 1213252, 1213258, 1213259, 1213263, 1213264, 1213286, 1213523, 1213524, 1213543, 1213705
CVE References: CVE-2023-20593, CVE-2023-2985, CVE-2023-3117, CVE-2023-31248, CVE-2023-3390, CVE-2023-35001, CVE-2023-3812
Sources used:
openSUSE Leap 15.4 (src): kernel-source-5.14.21-150400.24.74.1, kernel-syms-5.14.21-150400.24.74.1, kernel-livepatch-SLE15-SP4_Update_15-1-150400.9.3.3, kernel-obs-qa-5.14.21-150400.24.74.1, kernel-default-base-5.14.21-150400.24.74.1.150400.24.33.3, kernel-obs-build-5.14.21-150400.24.74.1
openSUSE Leap Micro 5.3 (src): kernel-default-base-5.14.21-150400.24.74.1.150400.24.33.3
openSUSE Leap Micro 5.4 (src): kernel-default-base-5.14.21-150400.24.74.1.150400.24.33.3
SUSE Linux Enterprise Micro for Rancher 5.3 (src): kernel-default-base-5.14.21-150400.24.74.1.150400.24.33.3
SUSE Linux Enterprise Micro 5.3 (src): kernel-default-base-5.14.21-150400.24.74.1.150400.24.33.3
SUSE Linux Enterprise Micro for Rancher 5.4 (src): kernel-default-base-5.14.21-150400.24.74.1.150400.24.33.3
SUSE Linux Enterprise Micro 5.4 (src): kernel-default-base-5.14.21-150400.24.74.1.150400.24.33.3
Basesystem Module 15-SP4 (src): kernel-source-5.14.21-150400.24.74.1, kernel-default-base-5.14.21-150400.24.74.1.150400.24.33.3
Development Tools Module 15-SP4 (src): kernel-syms-5.14.21-150400.24.74.1, kernel-source-5.14.21-150400.24.74.1, kernel-obs-build-5.14.21-150400.24.74.1
SUSE Linux Enterprise Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4_Update_15-1-150400.9.3.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Maintenance Automation 2023-08-03 20:30:22 UTC 
SUSE-SU-2023:3182-1: An update that solves nine vulnerabilities, contains one feature and has 70 fixes can now be installed.

Category: security (important)
Bug References: 1150305, 1193629, 1194869, 1207894, 1208788, 1210565, 1210584, 1210853, 1211243, 1211811, 1211867, 1212301, 1212846, 1212905, 1213010, 1213011, 1213012, 1213013, 1213014, 1213015, 1213016, 1213017, 1213018, 1213019, 1213020, 1213021, 1213024, 1213025, 1213032, 1213034, 1213035, 1213036, 1213037, 1213038, 1213039, 1213040, 1213041, 1213059, 1213061, 1213087, 1213088, 1213089, 1213090, 1213092, 1213093, 1213094, 1213095, 1213096, 1213098, 1213099, 1213100, 1213102, 1213103, 1213104, 1213105, 1213106, 1213107, 1213108, 1213109, 1213110, 1213111, 1213112, 1213113, 1213114, 1213134, 1213245, 1213247, 1213252, 1213258, 1213259, 1213263, 1213264, 1213286, 1213523, 1213524, 1213543, 1213585, 1213586, 1213705
CVE References: CVE-2023-20593, CVE-2023-2985, CVE-2023-3117, CVE-2023-31248, CVE-2023-3390, CVE-2023-35001, CVE-2023-3609, CVE-2023-3611, CVE-2023-3812
Jira References: PED-4758
Sources used:
openSUSE Leap 15.4 (src): kernel-source-azure-5.14.21-150400.14.60.1, kernel-syms-azure-5.14.21-150400.14.60.1
Public Cloud Module 15-SP4 (src): kernel-source-azure-5.14.21-150400.14.60.1, kernel-syms-azure-5.14.21-150400.14.60.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Maintenance Automation 2023-08-03 20:30:39 UTC 
SUSE-SU-2023:3180-1: An update that solves seven vulnerabilities, contains two features and has 26 fixes can now be installed.

Category: security (important)
Bug References: 1150305, 1193629, 1194869, 1207894, 1208788, 1211243, 1211867, 1212256, 1212301, 1212525, 1212846, 1212905, 1213059, 1213061, 1213205, 1213206, 1213226, 1213233, 1213245, 1213247, 1213252, 1213258, 1213259, 1213263, 1213264, 1213286, 1213311, 1213493, 1213523, 1213524, 1213533, 1213543, 1213705
CVE References: CVE-2023-20593, CVE-2023-2985, CVE-2023-3117, CVE-2023-31248, CVE-2023-3390, CVE-2023-35001, CVE-2023-3812
Jira References: PED-4718, PED-4758
Sources used:
openSUSE Leap 15.5 (src): kernel-source-azure-5.14.21-150500.33.11.1, kernel-syms-azure-5.14.21-150500.33.11.1
Public Cloud Module 15-SP5 (src): kernel-source-azure-5.14.21-150500.33.11.1, kernel-syms-azure-5.14.21-150500.33.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Maintenance Automation 2023-08-14 08:30:22 UTC 
SUSE-SU-2023:3302-1: An update that solves 28 vulnerabilities, contains two features and has 115 fixes can now be installed.

Category: security (important)
Bug References: 1150305, 1187829, 1193629, 1194869, 1206418, 1207129, 1207894, 1207948, 1208788, 1210335, 1210565, 1210584, 1210627, 1210780, 1210825, 1210853, 1211014, 1211131, 1211243, 1211738, 1211811, 1211867, 1212051, 1212256, 1212265, 1212301, 1212445, 1212456, 1212502, 1212525, 1212603, 1212604, 1212685, 1212766, 1212835, 1212838, 1212842, 1212846, 1212848, 1212861, 1212869, 1212892, 1212901, 1212905, 1212961, 1213010, 1213011, 1213012, 1213013, 1213014, 1213015, 1213016, 1213017, 1213018, 1213019, 1213020, 1213021, 1213024, 1213025, 1213032, 1213034, 1213035, 1213036, 1213037, 1213038, 1213039, 1213040, 1213041, 1213059, 1213061, 1213087, 1213088, 1213089, 1213090, 1213092, 1213093, 1213094, 1213095, 1213096, 1213098, 1213099, 1213100, 1213102, 1213103, 1213104, 1213105, 1213106, 1213107, 1213108, 1213109, 1213110, 1213111, 1213112, 1213113, 1213114, 1213116, 1213134, 1213167, 1213205, 1213206, 1213226, 1213233, 1213245, 1213247, 1213252, 1213258, 1213259, 1213263, 1213264, 1213272, 1213286, 1213287, 1213304, 1213417, 1213493, 1213523, 1213524, 1213533, 1213543, 1213578, 1213585, 1213586, 1213588, 1213601, 1213620, 1213632, 1213653, 1213705, 1213713, 1213715, 1213747, 1213756, 1213759, 1213777, 1213810, 1213812, 1213856, 1213857, 1213863, 1213867, 1213870, 1213871, 1213872
CVE References: CVE-2022-40982, CVE-2023-0459, CVE-2023-1829, CVE-2023-20569, CVE-2023-20593, CVE-2023-21400, CVE-2023-2156, CVE-2023-2166, CVE-2023-2430, CVE-2023-2985, CVE-2023-3090, CVE-2023-31083, CVE-2023-3111, CVE-2023-3117, CVE-2023-31248, CVE-2023-3212, CVE-2023-3268, CVE-2023-3389, CVE-2023-3390, CVE-2023-35001, CVE-2023-3567, CVE-2023-3609, CVE-2023-3611, CVE-2023-3776, CVE-2023-3812, CVE-2023-38409, CVE-2023-3863, CVE-2023-4004
Jira References: PED-4718, PED-4758
Sources used:
openSUSE Leap 15.5 (src): kernel-livepatch-SLE15-SP5-RT_Update_3-1-150500.11.5.1, kernel-syms-rt-5.14.21-150500.13.11.1, kernel-source-rt-5.14.21-150500.13.11.1
SUSE Linux Enterprise Live Patching 15-SP5 (src): kernel-livepatch-SLE15-SP5-RT_Update_3-1-150500.11.5.1
SUSE Real Time Module 15-SP5 (src): kernel-syms-rt-5.14.21-150500.13.11.1, kernel-source-rt-5.14.21-150500.13.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Maintenance Automation 2023-08-15 12:30:16 UTC 
SUSE-SU-2023:3318-1: An update that solves 20 vulnerabilities and has 89 fixes can now be installed.

Category: security (important)
Bug References: 1150305, 1193629, 1194869, 1206418, 1207129, 1207894, 1208788, 1210565, 1210584, 1210627, 1210780, 1210853, 1211131, 1211243, 1211738, 1211811, 1211867, 1212301, 1212502, 1212604, 1212846, 1212901, 1212905, 1213010, 1213011, 1213012, 1213013, 1213014, 1213015, 1213016, 1213017, 1213018, 1213019, 1213020, 1213021, 1213024, 1213025, 1213032, 1213034, 1213035, 1213036, 1213037, 1213038, 1213039, 1213040, 1213041, 1213059, 1213061, 1213087, 1213088, 1213089, 1213090, 1213092, 1213093, 1213094, 1213095, 1213096, 1213098, 1213099, 1213100, 1213102, 1213103, 1213104, 1213105, 1213106, 1213107, 1213108, 1213109, 1213110, 1213111, 1213112, 1213113, 1213114, 1213134, 1213167, 1213245, 1213247, 1213252, 1213258, 1213259, 1213263, 1213264, 1213272, 1213286, 1213287, 1213304, 1213523, 1213524, 1213543, 1213585, 1213586, 1213588, 1213620, 1213653, 1213705, 1213713, 1213715, 1213747, 1213756, 1213759, 1213777, 1213810, 1213812, 1213856, 1213857, 1213863, 1213867, 1213870, 1213871
CVE References: CVE-2022-40982, CVE-2023-0459, CVE-2023-20569, CVE-2023-20593, CVE-2023-21400, CVE-2023-2156, CVE-2023-2166, CVE-2023-2985, CVE-2023-31083, CVE-2023-3117, CVE-2023-31248, CVE-2023-3268, CVE-2023-3390, CVE-2023-35001, CVE-2023-3567, CVE-2023-3609, CVE-2023-3611, CVE-2023-3776, CVE-2023-3812, CVE-2023-4004
Sources used:
openSUSE Leap 15.4 (src): kernel-syms-rt-5.14.21-150400.15.46.1, kernel-source-rt-5.14.21-150400.15.46.1
SUSE Linux Enterprise Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4-RT_Update_11-1-150400.1.5.1
SUSE Real Time Module 15-SP4 (src): kernel-syms-rt-5.14.21-150400.15.46.1, kernel-source-rt-5.14.21-150400.15.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Maintenance Automation 2023-08-23 16:30:27 UTC 
SUSE-SU-2023:3391-1: An update that solves 15 vulnerabilities, contains one feature and has nine fixes can now be installed.

Category: security (important)
Bug References: 1199304, 1206418, 1207270, 1210584, 1211131, 1211738, 1211867, 1212301, 1212741, 1212835, 1212846, 1213059, 1213061, 1213167, 1213245, 1213286, 1213287, 1213354, 1213543, 1213585, 1213586, 1213588, 1213653, 1213868
CVE References: CVE-2022-40982, CVE-2023-0459, CVE-2023-20569, CVE-2023-20593, CVE-2023-2156, CVE-2023-2985, CVE-2023-3117, CVE-2023-31248, CVE-2023-3390, CVE-2023-35001, CVE-2023-3567, CVE-2023-3609, CVE-2023-3611, CVE-2023-3776, CVE-2023-3812
Jira References: PED-4567
Sources used:
SUSE Linux Enterprise Live Patching 15-SP3 (src): kernel-livepatch-SLE15-SP3_Update_35-1-150300.7.3.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): kernel-obs-build-5.3.18-150300.59.130.1, kernel-default-base-5.3.18-150300.59.130.1.150300.18.76.1, kernel-source-5.3.18-150300.59.130.1, kernel-syms-5.3.18-150300.59.130.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): kernel-obs-build-5.3.18-150300.59.130.1, kernel-default-base-5.3.18-150300.59.130.1.150300.18.76.1, kernel-source-5.3.18-150300.59.130.1, kernel-syms-5.3.18-150300.59.130.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): kernel-obs-build-5.3.18-150300.59.130.1, kernel-default-base-5.3.18-150300.59.130.1.150300.18.76.1, kernel-source-5.3.18-150300.59.130.1, kernel-syms-5.3.18-150300.59.130.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): kernel-obs-build-5.3.18-150300.59.130.1, kernel-default-base-5.3.18-150300.59.130.1.150300.18.76.1, kernel-source-5.3.18-150300.59.130.1, kernel-syms-5.3.18-150300.59.130.1
SUSE Manager Proxy 4.2 (src): kernel-default-base-5.3.18-150300.59.130.1.150300.18.76.1, kernel-source-5.3.18-150300.59.130.1
SUSE Manager Retail Branch Server 4.2 (src): kernel-default-base-5.3.18-150300.59.130.1.150300.18.76.1, kernel-source-5.3.18-150300.59.130.1
SUSE Manager Server 4.2 (src): kernel-default-base-5.3.18-150300.59.130.1.150300.18.76.1, kernel-source-5.3.18-150300.59.130.1
SUSE Enterprise Storage 7.1 (src): kernel-obs-build-5.3.18-150300.59.130.1, kernel-default-base-5.3.18-150300.59.130.1.150300.18.76.1, kernel-source-5.3.18-150300.59.130.1, kernel-syms-5.3.18-150300.59.130.1
SUSE Linux Enterprise Micro 5.1 (src): kernel-default-base-5.3.18-150300.59.130.1.150300.18.76.1
SUSE Linux Enterprise Micro 5.2 (src): kernel-default-base-5.3.18-150300.59.130.1.150300.18.76.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): kernel-default-base-5.3.18-150300.59.130.1.150300.18.76.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 34 Maintenance Automation 2023-08-24 12:31:10 UTC 
SUSE-SU-2023:3421-1: An update that solves 15 vulnerabilities, contains one feature and has nine fixes can now be installed.

Category: security (important)
Bug References: 1199304, 1206418, 1207270, 1210584, 1211131, 1211738, 1211867, 1212301, 1212741, 1212835, 1212846, 1213059, 1213061, 1213167, 1213245, 1213286, 1213287, 1213354, 1213543, 1213585, 1213586, 1213588, 1213653, 1213868
CVE References: CVE-2022-40982, CVE-2023-0459, CVE-2023-20569, CVE-2023-20593, CVE-2023-2156, CVE-2023-2985, CVE-2023-3117, CVE-2023-31248, CVE-2023-3390, CVE-2023-35001, CVE-2023-3567, CVE-2023-3609, CVE-2023-3611, CVE-2023-3776, CVE-2023-3812
Jira References: PED-4567
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.