Bug 1215104 (CVE-2023-4015)

Summary: VUL-0: CVE-2023-4015: kernel-source,kernel-source-azure,kernel-source-rt: netfilter: nf_tables use-after-free via nft_immediate_deactivate()
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: chester.lin, denis.kirjanov, jlee, meissner, mkubecek, mpdesouza, rfrohl, security-team
Version: unspecifiedFlags: mpdesouza: needinfo? (denis.kirjanov)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/377513/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-4015:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1215106    

Description Carlos López 2023-09-07 07:09:32 UTC 
CVE-2023-4015

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
component can be exploited to achieve local privilege escalation.

On an error when building a nftables rule, deactivating immediate expressions in
nft_immediate_deactivate() can lead unbinding the chain and objects be
deactivated but later used.

We recommend upgrading past commit 0a771f7b266b02d262900c75f1e175c7fe76fec2.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4015
https://bugzilla.redhat.com/show_bug.cgi?id=2237752
https://www.cve.org/CVERecord?id=CVE-2023-4015
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a771f7b266b02d262900c75f1e175c7fe76fec2
https://kernel.dance/0a771f7b266b02d262900c75f1e175c7fe76fec2
Comment 1 Carlos López 2023-09-07 07:10:54 UTC 
Affected:
- SLE15-SP4

Already fixed:
- SLE15-SP6
- stable
- master
Comment 2 Joey Lee 2023-09-07 08:52:57 UTC 
Hi Denis,

Because this CVE issue relates to net/netfilter subsystem. Could you please help to handle it?

If this is not in your area, just reset bug assigner to kernel-bugs@suse.de. Kernel Security Sentinel will find other expert.

Thanks a lot!
Comment 3 Denis Kirjanov 2023-09-07 13:43:42 UTC 
Taken
Comment 21 Maintenance Automation 2023-11-02 16:30:35 UTC 
SUSE-SU-2023:4345-1: An update that solves nine vulnerabilities and has 14 security fixes can now be installed.

Category: security (important)
Bug References: 1208788, 1210778, 1211307, 1212423, 1212649, 1213705, 1214842, 1215095, 1215104, 1215518, 1215745, 1215768, 1215860, 1215955, 1215986, 1216046, 1216051, 1216062, 1216345, 1216510, 1216511, 1216512, 1216621
CVE References: CVE-2023-2163, CVE-2023-31085, CVE-2023-34324, CVE-2023-3777, CVE-2023-39189, CVE-2023-39193, CVE-2023-45862, CVE-2023-46813, CVE-2023-5178
Sources used:
openSUSE Leap 15.4 (src): kernel-syms-azure-5.14.21-150400.14.72.1, kernel-source-azure-5.14.21-150400.14.72.1
Public Cloud Module 15-SP4 (src): kernel-syms-azure-5.14.21-150400.14.72.1, kernel-source-azure-5.14.21-150400.14.72.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Maintenance Automation 2023-11-06 16:30:15 UTC 
SUSE-SU-2023:4378-1: An update that solves seven vulnerabilities and has 14 security fixes can now be installed.

Category: security (important)
Bug References: 1208788, 1210778, 1211307, 1212423, 1212649, 1213705, 1213772, 1214842, 1215095, 1215104, 1215518, 1215955, 1215956, 1215957, 1215986, 1216062, 1216345, 1216510, 1216511, 1216512, 1216621
CVE References: CVE-2023-2163, CVE-2023-31085, CVE-2023-34324, CVE-2023-3777, CVE-2023-39189, CVE-2023-39193, CVE-2023-5178
Sources used:
openSUSE Leap 15.4 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2, kernel-source-5.14.21-150400.24.97.1, kernel-livepatch-SLE15-SP4_Update_20-1-150400.9.3.2, kernel-syms-5.14.21-150400.24.97.1, kernel-obs-qa-5.14.21-150400.24.97.1, kernel-obs-build-5.14.21-150400.24.97.1
openSUSE Leap Micro 5.3 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2
openSUSE Leap Micro 5.4 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2
SUSE Linux Enterprise Micro for Rancher 5.3 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2
SUSE Linux Enterprise Micro 5.3 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2
SUSE Linux Enterprise Micro for Rancher 5.4 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2
SUSE Linux Enterprise Micro 5.4 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2
Basesystem Module 15-SP4 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2, kernel-source-5.14.21-150400.24.97.1
Development Tools Module 15-SP4 (src): kernel-syms-5.14.21-150400.24.97.1, kernel-source-5.14.21-150400.24.97.1, kernel-obs-build-5.14.21-150400.24.97.1
SUSE Linux Enterprise Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4_Update_20-1-150400.9.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Maintenance Automation 2023-11-06 16:30:26 UTC 
SUSE-SU-2023:4375-1: An update that solves nine vulnerabilities and has 17 security fixes can now be installed.

Category: security (important)
Bug References: 1208788, 1211162, 1211307, 1212423, 1212649, 1213705, 1213772, 1214754, 1214874, 1215095, 1215104, 1215523, 1215545, 1215921, 1215955, 1215986, 1216062, 1216202, 1216322, 1216323, 1216324, 1216333, 1216345, 1216512, 1216621, 802154
CVE References: CVE-2023-2163, CVE-2023-31085, CVE-2023-34324, CVE-2023-3777, CVE-2023-39189, CVE-2023-39191, CVE-2023-39193, CVE-2023-46813, CVE-2023-5178
Sources used:
SUSE Linux Enterprise Live Patching 15-SP5 (src): kernel-livepatch-SLE15-SP5_Update_7-1-150500.11.5.1
openSUSE Leap 15.5 (src): kernel-livepatch-SLE15-SP5_Update_7-1-150500.11.5.1, kernel-source-5.14.21-150500.55.36.1, kernel-obs-qa-5.14.21-150500.55.36.1, kernel-syms-5.14.21-150500.55.36.1, kernel-obs-build-5.14.21-150500.55.36.1, kernel-default-base-5.14.21-150500.55.36.1.150500.6.15.3
SUSE Linux Enterprise Micro 5.5 (src): kernel-default-base-5.14.21-150500.55.36.1.150500.6.15.3
Basesystem Module 15-SP5 (src): kernel-source-5.14.21-150500.55.36.1, kernel-default-base-5.14.21-150500.55.36.1.150500.6.15.3
Development Tools Module 15-SP5 (src): kernel-source-5.14.21-150500.55.36.1, kernel-obs-build-5.14.21-150500.55.36.1, kernel-syms-5.14.21-150500.55.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Maintenance Automation 2023-11-10 20:30:07 UTC 
SUSE-SU-2023:4414-1: An update that solves 11 vulnerabilities and has 11 security fixes can now be installed.

Category: security (important)
Bug References: 1208788, 1211162, 1211307, 1212423, 1213705, 1213772, 1214754, 1214874, 1215104, 1215523, 1215545, 1215921, 1215955, 1215986, 1216062, 1216202, 1216322, 1216323, 1216324, 1216333, 1216345, 1216512
CVE References: CVE-2023-2163, CVE-2023-2860, CVE-2023-31085, CVE-2023-34324, CVE-2023-3777, CVE-2023-39189, CVE-2023-39191, CVE-2023-39193, CVE-2023-45862, CVE-2023-46813, CVE-2023-5178
Sources used:
openSUSE Leap 15.5 (src): kernel-source-azure-5.14.21-150500.33.23.1, kernel-syms-azure-5.14.21-150500.33.23.1
Public Cloud Module 15-SP5 (src): kernel-source-azure-5.14.21-150500.33.23.1, kernel-syms-azure-5.14.21-150500.33.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Marcos de Souza 2023-11-28 12:47:27 UTC 
Denis,

I've prepared this LP on all our supported and affected LPs, and they lack the NFT_TRANS_PREPARE_ERROR state. So what I did was to only apply the changes to NFT_TRANS_PREPARE, and move on.

Nicolai argued that the fixes tag from the upstream bugfix points to 4bedf9eee016 ("netfilter: nf_tables: fix chain binding transaction logic"), but since it fixes the problem with PREPARE_ERROR maybe the fixes tag should be 26b5a5712eb8 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain")?

Can you please clarify if the fix is needed on codestreams without 26b5a5712eb8?

Thanks!
Comment 27 Denis Kirjanov 2023-12-04 12:19:56 UTC 
I think so, yes, we need the following commit as well:
netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal
with bound set/chain
Git-commit: 26b5a5712eb85e253724e56a54c17f8519bd8e4e
Comment 28 Marcos de Souza 2024-03-20 14:53:34 UTC 
(In reply to Denis Kirjanov from comment #27)
> I think so, yes, we need the following commit as well:
> netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal
> with bound set/chain
> Git-commit: 26b5a5712eb85e253724e56a54c17f8519bd8e4e

Ok, this issue escaped me in the last few months. I would like to ask if we need to create a livepatch for codestreams that lack 2e62a61046da7d4cdca7e873427269552ce19d65, since this commit introduced the problem.

Thanks in advance
Comment 29 Denis Kirjanov 2024-04-02 07:34:21 UTC 
(In reply to Marcos de Souza from comment #28)
> (In reply to Denis Kirjanov from comment #27)
> > I think so, yes, we need the following commit as well:
> > netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal
> > with bound set/chain
> > Git-commit: 26b5a5712eb85e253724e56a54c17f8519bd8e4e
> 
> Ok, this issue escaped me in the last few months. I would like to ask if we
> need to create a livepatch for codestreams that lack
> 2e62a61046da7d4cdca7e873427269552ce19d65, since this commit introduced the
> problem.
> 
> Thanks in advance

Yes, it has the fixes tag:
Fixes: 1240eb93f061 ("netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE")
Comment 31 Robert Frohl 2024-06-05 07:45:34 UTC 
done, closing