Notselwyn/CVE-2024-1086

is nftables insecure

KPCOFGS opened this issue · 1 comments

In the blog post, there is this paragraph: "This allows users to program complex firewall rules, because nftables has many atomic expressions which can be chained together in rules to filter packets. Additionally, it allows chains to be ran at different times in the packet processing code (i.e. before routing and after routing) which can be selected when creating a chain using flags like NF_INET_LOCAL_IN and NF_INET_POST_ROUTING. Due to this extremely customizable nature, nftables is known to be incredibly insecure. Hence, many vulnerabilities have been reported and have been fixed already."

Wait, nftables is insecure? I did some research on the internet and I do see more positive views of nftables than not. I'm using Linux and should I basically do a purge on that package?

Plenty of bugs have been found in nf_tables (the kernel module). Hence, this allows for privilege escalation. Considering nftables is an important backend for iptables and therefore ufw, disabling it has quite a few consequences.

I would simply disable unprivileged user namespaces, as this would nf_tables untouchable for anybody but root. However when doing this: note that certain tools like Docker may rely on namespaces, and may therefore break. Hence, I would only do this on important systems which may be a target for hackers.