CVE-2023-3776 - Use-After-Free Vulnerability in Linux Kernel's net/sched: cls_fw Component Leads to Local Privilege Escalation

A critical use-after-free vulnerability (CVE-2023-3776) has been discovered in the Linux kernel's net/sched: cls_fw component that can be exploited by an attacker for local privilege escalation. The vulnerability exists due to improper handling of reference counting in tcf_change_indev(). If this function fails, fw_set_parms() will return an error, either incrementing or decrementing the reference counter in tcf_bind_filter(). Given that an attacker can control the reference counter and set it to zero, the reference will be freed, leading to a use-after-free vulnerability.

Exploit Details

The vulnerability occurs within the function fw_set_parms() in the file net/sched/cls_fw.c. The code snippet below demonstrates the issue:

static int fw_set_parms(struct net *net, struct tcf_proto *tp,
                        struct fw_head *head, struct fw_filter *f,
                        struct tc_msg *t, struct nlattr **tb,
                        struct nlattr **tca, unsigned long base)
{
   ...
      if (tb[TCA_FW_MASK]) {
             ...
             if (tcf_change_indev(net, tp, tb, tca,
                       (int (*)(struct sk_buff *))cls_get, head)) {
                  /* The reference counter is incremented or decremented here */
                  tcf_bind_filter(tp, &f->res, base);
                  /* Error returned, causing use-after-free vulnerability */
                  return -EINVAL;
             }
      }
      ...
}

Proof-of-Concept

Although there is no public proof-of-concept exploit available at this time, it is important to understand that the impact of this vulnerability is significant, as it can allow an attacker to gain unauthorized access to privileged resources. The attacker needs to have local access to the targeted system and be able to trigger this specific bug by manipulating the reference counter to achieve privileges escalation.

Mitigation

To mitigate this vulnerability, it is recommended to upgrade your system past commit 0323bce598eea038714f941ce2b22541c46d488f, which is available in the Linux kernel source tree. Moreover, you should always apply all available security patches and updates provided by your operating system vendor, as well as following best practices for securing your applications and network.

Original References

- Linux kernel source tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0323bce598eea038714f941ce2b22541c46d488f

Conclusion

CVE-2023-3776 is a critical use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component, which can be exploited for local privilege escalation. By gaining control over the reference counter and setting it to zero, an attacker with local access can cause a use-after-free issue and elevate their privileges on the system. It is essential to upgrade your system past commit 0323bce598eea038714f941ce2b22541c46d488f and diligently maintain your system's security by applying all necessary updates and patches.

Timeline

Published on: 07/21/2023 21:15:00 UTC
Last modified on: 08/19/2023 18:17:00 UTC