CVE CyberSecurity Database News

CVE-2023-4128: Use-After-Free Flaw Found in Linux Kernel - An In-Depth Analysis of Classifiers and the Exploitation Potential with Code Snippets

Poster -

A recent security vulnerability has been disclosed, CVE-2023-4128, identified as a use-after-free flaw found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) of the Linux Kernel. This critical vulnerability allows a local attacker to leverage the flawed handling of existing filters and perform local privilege escalation on the targeted system, ultimately leading to a kernel information leak issue. In this post, we will delve into the details of this vulnerability, present code snippets, discuss the potential exploit, and provide references to original sources of information.

The Vulnerability (CVE-2023-4128)

A use-after-free flaw occurs when memory in the software is used after it has been freed, potentially resulting in arbitrary code execution or other unexpected behaviors. In the Linux Kernel, the net/sched/cls_fw.c is responsible for handling network classifications in traffic control. The vulnerability lies within the improper handling of existing filters in the classifiers, specifically for cls_fw, cls_u32, and cls_route. This allows attackers to exploit the flaw by running malicious code to trigger a use-after-free error, which in turn grants them escalated privileges and the ability to read/write kernel memory, thus leading to sensitive information disclosure.

Below is the vulnerable code snippet found in the cls_fw, cls_u32, and cls_route classifiers

net/sched/cls_fw.c

static int fw_change(struct net *net, struct sk_buff *in_skb,
		     struct tcf_proto *tp, unsigned long base,
		     u32 handle, struct nlattr **tca,
		     unsigned long *arg, bool ovr)
{
	struct fw_filter *f, **fp;
…
	/* Find head of filter chain for this destination */
	for (n = tp->root; n; n = n->next)
		if (n->handle == handle)
			break;

	if (n && old_f)
		return -EINVAL;
…
}

When the code searches for the head of the filter chain, it incorrectly handles the existing filter that ultimately leads to the exploit.

Exploit Details

An attacker would need to have local access to the targeted system in order to exploit this vulnerability. A typical exploit scenario would involve an attacker with user-level access to a system, creating and executing a malicious program utilizing the vulnerable code in the Linux kernel classifiers.

References

For those looking for a deeper understanding or further verification, the following resources provide documentation and supplementary information around CVE-2023-4128 and the affected net/sched/cls_fw.c file:

1. Original CVE record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4128
2. Linux Kernel Git repository: https://%20www.kernel.org/doc/html/latest/networking/traffic-control.html
3. Discussion on Linux Kernel Mailing List (LKML): https://lkml.org/lkml/2023/4/14/590

Conclusion

CVE-2023-4128 is a serious vulnerability that could grant attackers elevated privileges and unrestricted access to sensitive kernel memory information. Users and administrators of Linux systems running affected kernel versions should apply any available patches and closely monitor their systems for signs of compromise. By understanding the underlying issues in the vulnerable code and staying informed about exposure, we can work towards securing our systems against potential exploit attempts.

Timeline

Published on: 08/10/2023 17:15:00 UTC
Last modified on: 10/11/2023 19:15:00 UTC