Security researchers from SSD Secure Disclosure have identified a critical flaw in the Linux kernel’s Netfilter ipset subsystem. The issue lies in the bitmap_ip_uadt function within the net/netfilter/ipset/ip_set_bitmap_ip.c file, where insufficient validation occurs when processing CIDR-based IP ranges.

How ipset Works in Linux

The ipset subsystem is designed for high-performance packet filtering and works alongside iptables and nftables. It uses bitmap data structures to efficiently manage large sets of IPv4 addresses.

When users specify IP ranges using CIDR notation through the netfilter netlink interface, the vulnerable code path fails to verify whether the calculated IP range falls within the allocated bitmap boundaries.

The flaw arises in a specific scenario:

• The tb[IPSET_ATTR_CIDR] attribute is present

• The tb[IPSET_ATTR_IP_TO] attribute is missing

In this situation, the ip_set_mask_from_to function calculates new ip and ip_to values based on the CIDR mask. Unlike the explicit range case, however, no validation ensures that the resulting ip value does not underflow below map->first_ip.

Why This Vulnerability Matters

This oversight creates the possibility of integer underflow, which can lead to out-of-bounds array access. The problem becomes more severe because the calculated index is truncated from u32 to u16 during bitmap operations.

Although exploitation requires local access, no special privileges are needed. This makes the bug particularly dangerous in multi-user environments or containerized systems, where attackers may already have some level of access.

Through the netfilter netlink socket interface, attackers can send maliciously crafted ipset commands to trigger the vulnerable code path.

Exploitation Technique

To exploit the flaw, attackers carefully construct bitmap:ip set creation and addition operations with specific CIDR values. This allows them to perform controlled out-of-bounds writes beyond the allocated bitmap memory region.

The exploitation strategy involves:

1. Creating multiple bitmap:ip objects to build a predictable memory layout

2. Using the out-of-bounds write method to overwrite critical kernel data structures

A particularly dangerous technique involves modifying the members pointer of adjacent bitmap_ip objects. This transforms the limited out-of-bounds write into arbitrary memory write capabilities, opening the door for privilege escalation and kernel compromise.

Security Implications

Given its location in the Linux kernel networking stack, this vulnerability represents a serious security threat. Exploiting it could allow attackers to escalate privileges, compromise containerized workloads, or gain full control of a system.

System administrators and security professionals are advised to:

• Apply patches immediately once available from their distribution vendors

• Restrict local user access on production servers where possible

• Monitor kernel security advisories closely for updates on Netfilter and ipset