Linux kernel NetFilter flaw gives attackers root privileges

L

Lakados

[H]F Junkie
Joined
Feb 3, 2014
Messages
8,909
https://www.bleepingcomputer.com/ne...etfilter-flaw-gives-attackers-root-privileges

The security problem stems from Netfilter nf_tables accepting invalid updates to its configuration, allowing specific scenarios where invalid batch requests lead to the corruption of the subsystem's internal state.

Attackers still need access to the system as some form of user to start the exploit so not a super viable attack method but who knows what vectors they may have to get to that point?
Still expect updates to NetFilter in the near future.

may have a viable fix already pending approval
https://git.kernel.org/pub/scm/linu.../?id=c1592a89942e9678f7d9c8030efa777c0d57edab
 
Lakados said:
https://www.bleepingcomputer.com/ne...etfilter-flaw-gives-attackers-root-privileges

The security problem stems from Netfilter nf_tables accepting invalid updates to its configuration, allowing specific scenarios where invalid batch requests lead to the corruption of the subsystem's internal state.

Attackers still need access to the system as some form of user to start the exploit so not a super viable attack method but who knows what vectors they may have to get to that point?
Still expect updates to NetFilter in the near future.

may have a viable fix already pending approval
https://git.kernel.org/pub/scm/linu.../?id=c1592a89942e9678f7d9c8030efa777c0d57edab
Click to expand...

Very few attacks go directly from 0 to full control. Almost all involve multiple steps along the way. A privilege escalation to root is very bad.

You can assume all the malware groups with armies of servers they've gotten onto but don't have full control will be going after this as quickly as possible to dig in deeper.
 
DanNeely said:
Very few attacks go directly from 0 to full control. Almost all involve multiple steps along the way. A privilege escalation to root is very bad.

You can assume all the malware groups with armies of servers they've gotten onto but don't have full control will be going after this as quickly as possible to dig in deeper.
Click to expand...
I'm not trying to downplay it, but it's not a drive-by situation, they have to already be in your house so you have a whole whack load of problems and this is just the tip of the iceberg.
 
  • Like
Reactions: erek
like this
Lakados said:
I'm not trying to downplay it, but it's not a drive-by situation, they have to already be in your house so you have a whole whack load of problems and this is just the tip of the iceberg.
Click to expand...
Bingo. You'd need an exploit to get to leverage this exploit. So it's really not that big a deal as long as it gets patched. However, that's the issue so many admins are inept and don't ever bother patching shit.
 
Vermillion said:
Bingo. You'd need an exploit to get to leverage this exploit. So it's really not that big a deal as long as it gets patched. However, that's the issue so many admins are inept and don't ever bother patching shit.
Click to expand...
I don't know about inept... I can say personally that as a single admin I have to watch over 2000 devices and because of budgets, I don't get help so if something gets missed or I forget it or fails and I tell myself "I'll totally look at that on Tuesday and figure out why the update failed" then Tuesday rolls around and Accounting has a problem because <insert weird VPN problem here> and I forget about it then it probably doesn't get looked at until it becomes an eminent problem again. the whole out of site out of mind thing, and it is really easy to forget about the 12'th VM you are running on that one server in that one stack in the back.
The realty is you have to assume they are already in and you are already vulnerable and limit their ability to get anything out because, for every escalation exploit that gets reported, there are probably 2 more in the wild nobody thought to look for.
I'm in the process of a full review right now and the first thing we are doing is implementing strict inter switch segregation so even across the same vlan 10.20.30.41 might only be able to talk to 10.20.30.42 on port 2080 and only if it is using a valid application signature for <what ever that protocol is> and stuff like that.
Pain in the ass but bad things are happening too fast and cleanup is too expensive.
 
Lakados said:
The realty is you have to assume they are already in and you are already vulnerable and limit their ability to get anything out because, for every escalation exploit that gets reported, there are probably 2 more in the wild nobody thought to look for.
Click to expand...
Exactly this. Defense in depth, and make no positive assumptions. I find the "admins" who brush these off as "no big deal because..." just as problematic as the ones who have delays in patching. Soon as their edge is penetrated, they're sank because their only line of defense is toast and they didn't bother thinking more than one step ahead.
 
You must log in or register to reply here.
Back
Top