search

Notselwyn / CVE-2024-1086

Universal local privilege escalation Proof-of-Concept exploit for CVE-2024-1086, working on most Linux kernels between v5.14 and v6.6, including Debian, Ubuntu, and KernelCTF. The success rate is 99.4% in KernelCTF images.
https://pwning.tech/nftables
MIT License
2.24k stars 293 forks source link

is nftables insecure #5

Closed KPCOFGS closed 5 months ago

KPCOFGS commented 5 months ago

In the blog post, there is this paragraph: "This allows users to program complex firewall rules, because nftables has many atomic expressions which can be chained together in rules to filter packets. Additionally, it allows chains to be ran at different times in the packet processing code (i.e. before routing and after routing) which can be selected when creating a chain using flags like NF_INET_LOCAL_IN and NF_INET_POST_ROUTING. Due to this extremely customizable nature, nftables is known to be incredibly insecure. Hence, many vulnerabilities have been reported and have been fixed already."

Wait, nftables is insecure? I did some research on the internet and I do see more positive views of nftables than not. I'm using Linux and should I basically do a purge on that package?

Notselwyn commented 5 months ago

Plenty of bugs have been found in nf_tables (the kernel module). Hence, this allows for privilege escalation. Considering nftables is an important backend for iptables and therefore ufw, disabling it has quite a few consequences.

I would simply disable unprivileged user namespaces, as this would nf_tables untouchable for anybody but root. However when doing this: note that certain tools like Docker may rely on namespaces, and may therefore break. Hence, I would only do this on important systems which may be a target for hackers.