CVE-2023-4194 – Bypassing Network Filters and Gaining Unauthorized Access with Incorrect TUN/TAP Patches

A serious flaw, referred to as CVE-2023-4194, has been discovered in the Linux kernel's TUN/TAP functionality. The vulnerability allows local users to bypass network filters and gain unauthorized access to certain resources. The original patches meant to fix CVE-2023-1076 are either incorrect or incomplete, and thus, the issue remains unresolved.

Explanation

The root cause of CVE-2023-4194 lies in the incorrect implementation of the following upstream commits:

66b2c338adce ("tap: tap_open(): correctly initialize socket uid")

The problem arises because "inode->i_uid" is being passed to sock_init_data_uid() as the last parameter, and this turns out to be inaccurate. The improper treatment leads to a flaw in the TUN/TAP functionality, which is a virtual network component that allows local users to access and process packets directly at the kernel level.

The following code snippet shows an example of the incorrect code in the upstream commits

if (err)
	goto err_release;
tun_debug(KERN_INFO, tun, "tun_chr_open %p\n", tun);
sock_init_data(inode, sk);
//PARAMETER ERROR in following line
sk->sk_uid = GLOBAL_ROOT_UID;

Due to the incorrect patches, the CVE-2023-1076 issue remains unaddressed, leaving room for local attackers to bypass network filters and gain unauthorized access to certain resources. This highlights the importance of patching and testing kernel vulnerabilities properly, to ensure the safety and integrity of Linux systems.

Exploit Details

A local attacker exploiting the CVE-2023-4194 vulnerability can gain unauthorized access to resources through the following steps:

Gain local access to the target Linux system.

2. Utilize the flawed TUN/TAP functionality to bypass network filters.

Access the desired resources without proper authorization or privileges.

To defend against this vulnerability, users are advised to monitor the Linux kernel mailing list, open-source repositories, and the official website for the relevant patches and updates.

For further information and in-depth analysis, please refer to the following sources

1. Linux Kernel Mailing List – TUN/TAP flaw discussion
2. Upstream Commit – a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid")
3. Upstream Commit – 66b2c338adce ("tap: tap_open(): correctly initialize socket uid")

Conclusion

CVE-2023-4194 is a critical vulnerability that allows local users to bypass network filters and access resources without proper authorization. The incomplete patches that were supposed to resolve CVE-2023-1076 highlight the need for continued vigilance and proactivity in identifying, patching, and testing kernel vulnerabilities. Users are encouraged to closely monitor the Linux kernel community and apply any relevant patches as soon as they become available to better protect their systems and data.

Timeline

Published on: 08/07/2023 14:15:00 UTC
Last modified on: 08/19/2023 18:17:00 UTC