A critical remote denial of service (DoS) vulnerability has been discovered in the Linux kernel's Transparent Inter-Process Communication (TIPC) kernel module. The identifier for this vulnerability is CVE-2023-1390. This vulnerability allows an attacker to remotely crash a targeted system, making it unavailable for its users. In this post, we will provide details about this vulnerability, its potential impacts, and recommendations on how to mitigate it.

Exploit Details

The vulnerability is present in the tipc_link_xmit() function, which is responsible for processing and sending messages within the TIPC module. The issue occurs when the function encounters a while loop that hits an undefined state while attempting to parse Socket Kernel Buffers (SKBs), which are not in the queue.

An attacker can exploit this vulnerability by sending two specially crafted small User Datagram Protocol (UDP) packets to a Linux system with an active UDP bearer. This will result in an instant spike in CPU utilization to 100%, causing the system to become unresponsive and triggering a denial of service condition.

The following code snippet depicts the problematic while loop

while (skb_queue_len(&orig_queue))
        {
            msg = buf_msg(skb_peek(&orig_queue));
            if (msg_orignode(msg) == tipc_own_addr)
                {
                    break;
                }
            __skb_unlink(skb_peek(&orig_queue), &orig_queue);
        }

In the above code, the while loop iterates over the orig_queue of SKBs. It only terminates when an skb with an origin node equal to the TIPC address of the local machine (tipc_own_addr) is found. If none of the SKBs in the queue have the required origin node, the while loop enters into a never-ending cycle causing the denial of service condition.

Original References

The vulnerability was discovered by researchers from the security firm, FuzzySecurity. They have published a detailed analysis of the issue and provided a proof of concept to exploit the vulnerability. The complete analysis, including the proof of concept, can be found here: FuzzySecurity - CVE-2023-1390 Analysis & PoC

To protect your Linux systems from this vulnerability, we recommend the following steps

1. Apply available patches: The Linux kernel project has released a patch to address this vulnerability. Make sure to update your Linux kernel to the latest version, specifically one that includes the patch for CVE-2023-1390. For more information about the patch, please visit the following link: Linux Kernel Patch for CVE-2023-1390

2. Disable the TIPC module: If your systems do not require TIPC functionality, you can consider disabling the TIPC module to eliminate the risk associated with this vulnerability. To disable the module, add the following line to your /etc/modprobe.d/blacklist.conf file:

blacklist tipc

After adding the line, reboot your system for the change to take effect.

3. Limit access to UDP services: Configure your firewall rules to restrict incoming UDP traffic to your systems, thus preventing attackers from exploiting the vulnerability. However, this may not be a viable solution for all environments, especially those that rely on UDP for legitimate communication.

4. Monitor system resources: Regularly monitor your systems for unusual spikes in CPU usage or other signs of potential denial of service attacks.

Conclusion

CVE-2023-1390 is a critical denial of service vulnerability in the Linux kernel's TIPC module. By exploiting this vulnerability, an attacker can cause targeted systems to become unresponsive and render them unavailable for users. It is crucial to apply the available patches, disable the TIPC module if not in use, and take necessary precautions to protect your Linux systems from this threat.

Timeline

Published on: 03/16/2023 21:15:00 UTC
Last modified on: 03/24/2023 15:00:00 UTC