Linux Kernel Netfilter CTNetlink Helper Validation Vulnerability Allows Kernel Memory Read

A vulnerability in the Linux kernel's netfilter component can lead to a out-of-bounds memory read. This issue arises in the conntrack netlink handling, where user-specified helpers for expectations are incorrectly validated. The vulnerability allows reading kernel memory beyond the expected boundaries, potentially leading to information disclosure or other impacts. The issue was discovered during validation of expectation classes, where a different user-provided helper caused a slab-out-of-bounds error, allowing unauthorized memory access.

Impact

Exploitation of this vulnerability can read arbitrary kernel memory, bypassing normal access controls and potentially leading to further exploitation or information disclosure.

Reproduction

To reproduce this vulnerability, attach a user-defined conntrack helper that differs from the master conntrack helper to a connection tracking expectation. This can be done using the netlink interface to manipulate conntrack expectations. The vulnerability will manifest as a kernel memory read error, indicating a slab-out-of-bounds access.

Remediation

Users can update to the latest stable version of the Linux kernel, where this vulnerability has been fixed.