Linux Kernel Netfilter nf_tables Chain Re-validation Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Linux kernel's netfilter component, specifically within the nf_tables subsystem. This issue arises from the chain validation process, where the system can become stuck in a loop, causing CPU soft lock-ups. The problem occurs because nf_tables traverses the entire chain graph, revalidating chains that have already been checked, instead of efficiently managing the validation process. As a result, this vulnerability can lead to significant performance degradation by monopolizing CPU resources.

Impact

Exploitation of this vulnerability causes CPU soft lock-ups, where a processor core becomes unresponsive for an extended period, disrupting normal system operations and potentially leading to a degraded or halted state.

Reproduction

To reproduce this vulnerability, create a set of nf_tables rules that cause the validation process to revisit the same chains multiple times. This can be done by setting up rules that jump between chains in a way that the validation process has to recheck them, effectively creating a loop. Monitor the CPU usage to observe the soft lock-up behavior, where a CPU core becomes stuck for an extended period, unable to process other tasks.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the documentation for the specific Linux distribution in use.