A recently discovered use-after-free vulnerability (CVE-2023-0461) in the Linux Kernel has the potential to be exploited in order to achieve local privilege escalation. This security flaw can be reached when the kernel configuration flags CONFIG_TLS or CONFIG_XFRM_ESPINTCP are configured, however, the operation does not necessitate any privileges. The vulnerability is related to the use-after-free bug of icsk_ulp_data in a struct inet_connection_sock.
To delve deeper into the issue, when CONFIG_TLS is enabled, a user can install a TLS context (struct tls_context) on a connected TCP socket. Once the socket is disconnected and then reused as a listener, the context is not cleared. If a new socket is created from the listener, it will inherit the context, resulting in a vulnerable state. It is also important to note that the setsockopt TCP_ULP operation does not require any privileges to be accessed.
The following code snippet demonstrates the vulnerability
// Installing the TLS context using setsockopt
int sockfd = socket(AF_INET, SOCK_STREAM, );
struct sockaddr_in serv_addr;
memset(&serv_addr, , sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(PORT);
serv_addr.sin_addr.s_addr = inet_addr("127...1");
connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr));
printf("Connected to server.\n");
// Enabling TLS
int optval = 1;
setsockopt(sockfd, IPPROTO_TCP, TCP_ULP, "tls", sizeof("tls"));
setsockopt(sockfd, IPPROTO_TLS, TLS_SSLMODE, &optval, sizeof(optval));
// Reusing the socket as a listener
close(sockfd);
int listener = sockfd;
bind(listener, (struct sockaddr *)&serv_addr, sizeof(serv_addr));
listen(listener, SOMAXCONN);
// Accepting a new connection from the listener
sockfd = accept(listener, NULL, NULL);
We strongly recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c to mitigate this vulnerability and improve the security and stability of the Linux Kernel.
For more details on the specific vulnerability, please refer to the original CVE-2023-0461 advisory. To learn more about the CONFIG_TLS flag, you can visit the Linux Kernel documentation. Additionally, you can find more information on the setsockopt functionality here.
It is strongly advised that all Linux users take the necessary steps to address this vulnerability and protect their systems from potential exploits involving local privilege escalation.
Timeline
Published on: 02/28/2023 15:15:00 UTC
Last modified on: 03/10/2023 04:57:00 UTC