CVE-2023-3609: Critical Use-After-Free Vulnerability In Linux Kernel's cls_u32 Component

A critical use-after-free vulnerability (CVE-2023-3609) has been discovered in the Linux kernel’s net/sched: cls_u32 component. Successful exploitation of this vulnerability can lead to local privilege escalation, granting the attacker increased permissions on the affected system. In this blog post, we will discuss the details of this vulnerability, examine the root cause, and provide recommendations for mitigation and remediation.

Overview

The vulnerability resides in the u32_set_parms() function within the cls_u32 component of the Linux kernel. This net/sched component is responsible for the traffic control subsystem. When the tcf_change_indev() function fails to execute as expected, the u32_set_parms() function will return an error directly after incrementing or decrementing the reference counter in the tcf_bind_filter() function, leading to potential exploitation.

Exploit Details

The u32_set_parms() function’s reference counter increment and decrement operations allow an attacker to manipulate the value if they can gain control over the process. By setting the reference counter to zero, the attacker can force the reference to be freed. This action results in a use-after-free vulnerability, which leads to local privilege escalation as the attacker gains additional permissions on the victim's system.

The following code snippet demonstrates the vulnerable u32_set_parms() function

static int u32_set_parms(struct net *net, struct tcf_proto *tp, u32 handle,
			 bool ovr, struct tc_u_common *un, struct rtattr *est,
			 const struct rtattr * const tb[], u32 flags, u32 fmask,
			 int mirred_ifindex)
{
  [...]

	if (est) {
		tcf_exts_change(tp, &n->exts, est);
		tcf_bind_filter(tp, &n->res, baseclass);
	}

  [...]

	if (tb[TCA_OPTIONS] == NULL)
		return -EINVAL;

  [...]

	err = -ENOBUFS;
	t = kzalloc(sizeof(struct tc_u_knode), GFP_KERNEL);
	if (!t)
		goto errout2;

  [...]

	err = tcf_change_indev(net, tb[TCA_U32_INDEV], &t->in_hw);
	if (err < )
		goto err_free_t;

  [...]

err_free_t:
	kfree(t);
errout2:
	if (est)
		tcf_unbind_filter(tp, &r->res);
errout:
	return err;
}

Recommendations

In order to mitigate and remediate this vulnerability, we recommend upgrading to a Linux kernel version past commit 04c55383fa5689357bcdd2c8036725a55ed632bc. This commit contains a security fix that properly addresses the use-after-free vulnerability in the net/sched: cls_u32 component. Alternatively, you can apply the security patch provided in this commit, which addresses the issue at hand.

Conclusion

CVE-2023-3609 is a critical use-after-free vulnerability that affects the Linux kernel's net/sched: cls_u32 component and can enable an attacker to gain local privilege escalation. It is essential to address this vulnerability by upgrading the Linux kernel or applying the related security patch to maintain the safety and security of your systems.

Timeline

Published on: 07/21/2023 21:15:00 UTC
Last modified on: 08/19/2023 18:16:00 UTC