CVE-2023-35001

Q: What is the severity of CVE-2023-35001?

CVE-2023-35001 has a CVSS score of 7.8 (HIGH). This vulnerability in the Linux kernel's nftables subsystem allows local users with CAP_NET_ADMIN capability to trigger out-of-bounds read/write operations. It can lead to privilege escalation, denial of service, or information disclosure. Any Linux system using nftables with users having CAP_NET_ADMIN in any namespace is affected.

7.8 HIGH

Denial of Service

📋 TL;DR

This vulnerability in the Linux kernel's nftables subsystem allows local users with CAP_NET_ADMIN capability to trigger out-of-bounds read/write operations. It can lead to privilege escalation, denial of service, or information disclosure. Any Linux system using nftables with users having CAP_NET_ADMIN in any namespace is affected.

💻 Affected Systems

Products:

Linux Kernel

Versions: Kernel versions before specific fixes (varies by distribution)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires nftables support and users with CAP_NET_ADMIN capability in any namespace (including containers).

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via privilege escalation to root, allowing complete control over the system and potential lateral movement.

🟠

Likely Case

Kernel panic causing denial of service, or information disclosure through memory reads.

🟢

If Mitigated

Limited impact if CAP_NET_ADMIN is restricted and proper namespace isolation is enforced.

🌐 Internet-Facing: LOW - Requires local access with CAP_NET_ADMIN, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Local users with CAP_NET_ADMIN (including containers/namespaces) can exploit it.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires local access and CAP_NET_ADMIN capability. Proof-of-concept code has been published.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Varies by distribution - check vendor advisories

Vendor Advisory: https://www.kernel.org/

Restart Required: Yes

Instructions:

1. Check your distribution's security advisory. 2. Update kernel package using package manager. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Restrict CAP_NET_ADMIN

linux

Remove CAP_NET_ADMIN capability from non-privileged users and containers

setcap -r cap_net_admin /path/to/binary
docker run --cap-drop=NET_ADMIN ...

Disable nftables

linux

Unload nftables kernel module if not required

rmmod nf_tables
echo 'blacklist nf_tables' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

Strictly limit users and containers with CAP_NET_ADMIN capability
Implement network namespace isolation and monitor for suspicious nftables operations

🔍 How to Verify

Check if Vulnerable:

Check kernel version against your distribution's patched versions: uname -r

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version after update matches patched version from vendor advisory

📡 Detection & Monitoring

Log Indicators:

Kernel oops/panic messages
Failed nftables rule operations
Unexpected nft command executions

Network Indicators:

None - local exploitation only

SIEM Query:

process.name="nft" AND user.capabilities contains "cap_net_admin"

📊 Metadata

CVE ID: CVE-2023-35001

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: July 5, 2023

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/173757/Kernel-Live-Patch-Security-Notice-LSN-0096-1.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2023/07/05/3 Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/08/msg00001.html Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGZC5XOANA75OJ4XARBBXYSLDKUIJI5E/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPHI46ROSSLVAV4R5LJWJYU747JGOS6D/ Mailing List
https://lore.kernel.org/netfilter-devel/20230705121515.747251-1-cascardo@canonical.com/T/ Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20230824-0007/ Third Party Advisory,VDB Entry
https://www.debian.org/security/2023/dsa-5453 Third Party Advisory
https://www.openwall.com/lists/oss-security/2023/07/05/3 Mailing List
http://packetstormsecurity.com/files/173757/Kernel-Live-Patch-Security-Notice-LSN-0096-1.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2023/07/05/3 Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/08/msg00001.html Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGZC5XOANA75OJ4XARBBXYSLDKUIJI5E/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPHI46ROSSLVAV4R5LJWJYU747JGOS6D/ Mailing List
https://lore.kernel.org/netfilter-devel/20230705121515.747251-1-cascardo@canonical.com/T/ Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20230824-0007/ Third Party Advisory,VDB Entry
https://www.debian.org/security/2023/dsa-5453 Third Party Advisory
https://www.openwall.com/lists/oss-security/2023/07/05/3 Mailing List

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

H300s by Netapp

H410c by Netapp

H410s by Netapp

H500s by Netapp

H700s by Netapp

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict CAP_NET_ADMIN

Disable nftables

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities