Linux Kernel Vulnerabilities: FUSE and nf_tables at Risk
A recent security report has revealed that two components of the Linux Kernel are susceptible to vulnerabilities that allow local attackers to escalate their privileges on target systems. The identified use-after-free vulnerability in the nf_tables module and a logic flaw in FUSE could enable unprivileged users to take control of a system with root privileges.
FUSE (Filesystem in Userspace) is an essential part of Linux, used to integrate non-Linux file systems like NTFS or UDF (DVDs) without requiring additional privileges. Researchers discovered a vulnerability in the interaction between the Linux kernel and FUSE when copying files.
The vulnerability primarily affects systems running kernel versions between 5.11 and 5.19 and installed FUSE across different Linux distributions. Chinese security researcher “breeze chenaotian,” discovered that the vulnerability occurred whenever the vulnerable function called “kuid_has_mapping” improperly mapped user rights in various Linux kernel namespaces.
To measure the vulnerability, a test was conducted on a freshly installed Ubuntu VM, and the proof-of-concept exploit worked, allowing attackers to take control of the system with root privileges. The vulnerability, which is tagged with the ID CVE-2023-0386, has a CVSS score of 7.8 and is considered of high priority.
Additionally, Netapp products and Linux-based appliances, besides other distributions, are affected. While kernel packages for most Linux distributions are yet to be updated, Ubuntu has released a new kernel to address the issue.
The second vulnerability occurs in nf_tables, marked with the ID CVE-2023-32233, and initially identified by a group of Polish security researchers. While an embargo until May 15th has been set to give Linux developers and distributions an opportunity to protect themselves, the researchers claim to have developed an exploit for it.
When manipulating the nf_tables configuration, consecutive operations could be processed incorrectly, leading to incorrect memory access (use after free). Remote attacks are impossible, meaning attackers need access to a user account on the target system. The vulnerability affects various Linux Kernel versions, including the current stable kernel version 6.3.1.
The bug was patched via a kernel update on May 2nd, but many major Linux Distributions are yet to release updated and secured kernel packages.
In conclusion, the vulnerabilities reinforce the need to prioritize software security, keeping systems and databases up-to-date, and continue to prioritize security research to identify existing and potential vulnerabilities.