CVE-2023-42754 - Linux Kernel IPv4 Stack NULL Pointer Dereference Vulnerability and Exploit Details

A NULL pointer dereference vulnerability (CVE-2023-42754) has recently been discovered in the Linux kernel IPv4 stack. This vulnerability can potentially allow a local attacker with CAP_NET_ADMIN privileges to crash the system. In this post, we'll delve deep into the details of this exploit, its impact, and possible solutions to mitigate the risks associated with it.

Vulnerability Details

The core of the issue lies within the socket buffer (skb) in the Linux kernel's IPv4 stack. Specifically, it occurs when __ip_options_compile assumes that the skb is always associated with a forwarding device. However, in cases where the skb is rerouted by ipvs, this assumption becomes invalid, leading to a NULL pointer dereference and ultimately resulting in system instability or crashes.

Here's a snippet of the problematic code in question

static int __ip_options_compile(struct net *net,
                struct ip_options *opt,
                struct sk_buff *skb,
                struct ip_options_rcu **optp)
{
    ...
    if (skb) {
        struct net_device *dev = skb->dev;
        if (dev && dev->ip_ptr)
            in_dev = rcu_dereference(dev->ip_ptr);
    }
    ...
}

As shown in the code above, if the skb->dev is NULL, then in_dev will also be NULL. This can lead to a NULL pointer dereference later in the function when in_dev is accessed.

Exploiting the Vulnerability

To exploit this vulnerability, an attacker must have local access to the system with CAP_NET_ADMIN privileges. Using the ipvs API (part of the Linux kernel), the attacker could potentially create a scenario where skb is rerouted, causing the NULL dereference. An example of such a scenario could include the following steps:

Mitigation

As CVE-2023-42754 is still relatively new, developers are working on patches to address the vulnerability fully. In the meantime, it is essential to:

1. Limit the number of users with CAP_NET_ADMIN privileges on systems potentially impacted by this issue.
2. Keep an eye on vulnerability databases and Linux kernel patch releases to stay informed of updates related to CVE-2023-42754.

For more information about the vulnerability details, you can refer to the following sources

1. Original CVE report: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42754
2. Discussion on the Linux kernel mailing list: https://lore.kernel.org/lkml/YWDxJEK9rierqidUcGry+BGPStt4Lo5YQkHEyg3cdZWn6iWkk5w@mail.gmail.com/
3. Information about the Linux kernel CAP_NET_ADMIN capability: https://man7.org/linux/man-pages/man7/capabilities.7.html

Conclusion

CVE-2023-42754 represents a vulnerability in the IPv4 stack of the Linux kernel that could lead to system crashes if exploited. However, helpful mitigation measures can minimize the risk associated with this flaw. Keeping systems updated, limiting privileged access, and staying informed about security developments are critical in maintaining a secure environment in the face of this and other vulnerabilities.

Timeline

Published on: 10/05/2023 19:15:11 UTC
Last modified on: 11/07/2023 04:21:14 UTC