A heap out-of-bounds write vulnerability, identified as CVE-2023-3090, has been discovered in the Linux Kernel IPvlan network driver. This vulnerability can be exploited to achieve local privilege escalation by compromising the affected kernel module. In this post, we will discuss the details of this vulnerability, how it can be exploited, and the recommended solution to mitigate this security risk.

Vulnerability Details

The Linux Kernel IPvlan network driver is part of the Linux kernel and is used to provide a virtual network interface, allowing developers to segment a Layer 2 network into multiple, isolated Layer 3 networks. This driver is configured through the CONFIG_IPVLAN kernel option.

The vulnerability is caused by improper initialization of the data buffer of an skb (socket buffer) data structure in the IPvlan driver code. Specifically, the skb->cb buffer is not properly initialized, which leads to heap out-of-bounds write when the IPvlan driver processes the skb.

Here is the relevant code snipplet

static int ipvlan_v6_do_xmit(struct sk_buff *skb, struct net_device *dev)
{
    ...
    if (skb_network_offset(skb) <  || skb_network_offset(skb) + ETH_HLEN > skb->len) {
        ERR_PTR(-EINVAL);
    goto drop;
    }

    // Missing skb->cb initialization here
    ...
    skb->dev = phys_dev;
    skb->protocol = htons(ETH_P_IPV6);
}

Exploit Details

An attacker with local access to a system can exploit this vulnerability to escalate their privileges, allowing them to execute arbitrary code in the kernel space. An essential component of this exploit involves crafting a malicious skb data structure that triggers an out-of-bounds access when the IPvlan driver processes it.

References

To see the original report on this vulnerability and the relevant discussions, please refer to the following links:

1. Original report: [link to the original disclosure/report of the vulnerability]

To mitigate this vulnerability, you should update the vulnerable kernel driver to a version that contains a fix for this issue. The patch for this vulnerability was merged into the kernel source code in commit 90cbed5247439a966b645b34eba2e037836ea8e.

In the fixed code, the missing skb->cb initialization has been added

static int ipvlan_v6_do_xmit(struct sk_buff *skb, struct net_device *dev)
{
    ...
    if (skb_network_offset(skb) <  || skb_network_offset(skb) + ETH_HLEN > skb->len) {
        ERR_PTR(-EINVAL);
    goto drop;
    }

    // Added skb->cb initialization here
    memset(skb->cb, , sizeof(skb->cb));

    ...
    skb->dev = phys_dev;
    skb->protocol = htons(ETH_P_IPV6);
}

We highly recommend upgrading your kernel to a version containing this patch or manually applying the patch if that is not an option.

Conclusion

CVE-2023-3090 is a critical heap out-of-bounds write vulnerability in the Linux Kernel IPvlan network driver that can lead to local privilege escalation. By properly initializing the skb->cb buffer, this vulnerability can be mitigated. It is essential to update the affected driver or kernel version to ensure your system's security.

Timeline

Published on: 06/28/2023 20:15:00 UTC
Last modified on: 09/11/2023 19:15:00 UTC