CVE-2024-6284
📋 TL;DR
A byte order encoding bug in the google/nftables Go library causes IP addresses to be processed incorrectly, resulting in firewall rules that don't work as intended. This affects systems using the vulnerable library version for nftables configuration management. The vulnerability could allow unintended network traffic to pass or block legitimate traffic.
💻 Affected Systems
- github.com/google/nftables library
- crowdsec-firewall-bouncer
- Any software using vulnerable nftables library
📦 What is this software?
Nftables by Google
⚠️ Risk & Real-World Impact
Worst Case
Critical firewall rules fail completely, allowing malicious traffic through or blocking legitimate services, potentially leading to network compromise or service disruption.
Likely Case
Some firewall rules behave unpredictably, causing either security gaps (allowing unwanted traffic) or operational issues (blocking legitimate connections).
If Mitigated
With proper network segmentation and defense-in-depth, impact is limited to specific systems using the vulnerable library.
🎯 Exploit Status
Exploitation requires ability to trigger nftables configuration changes using the vulnerable library. No authentication bypass needed if already have configuration access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.2.0
Vendor Advisory: https://github.com/google/nftables/issues/225
Restart Required: Yes
Instructions:
1. Update go.mod to require github.com/google/nftables@v0.2.0 or later. 2. Run 'go mod tidy'. 3. Rebuild and redeploy affected applications. 4. Restart services using the updated library. 5. Regenerate and reload nftables rules.
🔧 Temporary Workarounds
Manual nftables rule verification
linuxManually verify and correct IP address encoding in existing nftables rules
nft list ruleset
nft flush ruleset
nft -f /path/to/corrected-rules.nft
🧯 If You Can't Patch
- Implement network segmentation to limit blast radius of misconfigured rules
- Deploy additional firewall layers (iptables, host-based firewalls) as compensating controls
🔍 How to Verify
Check if Vulnerable:
Check go.mod or go.sum for github.com/google/nftables@v0.1.0 or earlier. For crowdsec-firewall-bouncer, check version < 0.0.28.Check Version:
grep 'github.com/google/nftables' go.mod && nft --versionVerify Fix Applied:
Verify go.mod requires github.com/google/nftables@v0.2.0+. Test nftables rules with known IP addresses to confirm correct behavior.📡 Detection & Monitoring
Log Indicators:
- Unexpected network traffic patterns
- Firewall rule application errors
- Service connectivity issues
Network Indicators:
- Traffic passing through unexpected ports
- IP-based rules not functioning correctly
SIEM Query:
source="firewall" AND ("nftables" OR "crowdsec") AND (error OR failed OR unexpected)🔗 References
- https://bugs.launchpad.net/ubuntu/+source/crowdsec-firewall-bouncer/+bug/2069596
- https://github.com/crowdsecurity/cs-firewall-bouncer/issues/368
- https://github.com/google/nftables/issues/225
- https://bugs.launchpad.net/ubuntu/+source/crowdsec-firewall-bouncer/+bug/2069596
- https://github.com/crowdsecurity/cs-firewall-bouncer/issues/368
- https://github.com/google/nftables/issues/225
