Linux Kernel Netfilter Flowtable Action Limit Vulnerability

A vulnerability in the Linux kernel's netfilter component allows for an excessive number of flowtable hardware offload actions in IPv6, exceeding the maximum limit. This issue is present in the stable Linux kernel through version 6.4.0. The vulnerability arises because the flowtable offload actions for various functions, such as Ethernet mangling, SNAT, DNAT, Double VLAN, and Redirect, can accumulate to 17 actions, while the maximum supported is 16. This discrepancy can lead to improper handling of network traffic, potentially causing disruptions or unintended behavior in network communication.

Impact

Exploitation of this vulnerability can cause network traffic management issues, leading to improper handling of IPv6 flowtable actions. This could disrupt expected network behavior, especially in scenarios involving complex packet routing or manipulation.

Reproduction

The vulnerability can be reproduced by configuring netfilter to use hardware offload actions that exceed the maximum limit. This can be done by applying multiple actions, such as Ethernet mangling, SNAT, DNAT, Double VLAN, and Redirect, in a way that the total exceeds 16 actions. Once the configuration is applied, the flowtable will incorrectly process the actions, demonstrating the vulnerability.

Remediation

Users can upgrade to a patched version of the Linux kernel that addresses this vulnerability. Instructions for upgrading can be found in the official Linux kernel documentation.