A recent vulnerability has been discovered in the Linux kernel, labeled as CVE-2023-4387, which affects the VMware's vmxnet3 ethernet NIC (network interface card) driver. This vulnerability mainly revolves around a use-after-free flaw in the vmxnet3_rq_alloc_rx_buf function located in the drivers/net/vmxnet3/vmxnet3_drv.c file. The issue could potentially allow a local attacker to crash the system by causing a double-free error while cleaning up in the vmxnet3_rq_cleanup_all function, which could further lead to a kernel information leak. In this post, we will take a closer look at this vulnerability, understand how it works, and discuss potential exploit details.

The Vulnerability: Use-After-Free in vmxnet3_rq_alloc_rx_buf

The main issue at the heart of CVE-2023-4387 is a use-after-free vulnerability. In programming, use-after-free refers to an attempt to access memory after it has been freed, which can cause a variety of issues depending on the circumstances. In this particular case, the vulnerability exists in the vmxnet3_rq_alloc_rx_buf function in the vmxnet3 driver, which is responsible for allocating receive buffers for incoming network packets.

Here's a code snippet from the affected function

int vmxnet3_rq_alloc_rx_buf(struct vmxnet3_rx_queue *rq, u32 ring_idx, u32 buf_idx, gfp_t gfp)
{
	u32 len;
	struct vmxnet3_rx_buf_info *rbi;
	struct vmxnet3_rx_buf_map *rbm;
	struct ns2_dev_info *ns2_dev_info;
	struct sk_buff *skb;
	dma_addr_t dma;
...
...
...
	if (unlikely(vpTci != VMXNET3_PT_NULL)) {
		ns2_dev_info = vmxnet3_get_ns2_dev_info(adapter);

		if (unlikely(ns2_dev_info != NULL)) {
			vmxnet3_restore_ns2_buf(ns2_dev_info, new_skb, dma, len);

			if (rbm->buf_type == VMXNET3_RX_BUF_TYPE_HEAD) {
				skb = vmxnet3_get_ns2_data(new_skb, dma, len);
			}
		}
	}
...
...
...
}

In this code, the function tries to allocate a new receive buffer, but there is a scenario where the allocated buffer can be freed and then reused, leading to the use-after-free vulnerability. This can be triggered if the local attacker can manipulate the process of allocating memory for the receive buffer; specific conditions must be met for the issue to occur.

Exploit Details

Although the exact exploit details are not publicly available, we can infer that for this vulnerability to be exploited, a local attacker would need to have already compromised a system running a vulnerable version of the Linux kernel and have access to a virtual machine running on VMware's hypervisor with the vmxnet3 ethernet driver enabled.

An attacker could potentially exploit this vulnerability by sending specially crafted packets over the network to the vulnerable driver, causing a double-free error in the vmxnet3_rq_cleanup_all function. This could lead to a kernel crash and potential information leak, depending on the attacker's ability to control or manipulate the memory that would be leaked through this bug.

1. CVE-2023-4387 Details
2. vmxnet3 Linux Kernel Source Code

Conclusion

CVE-2023-4387 is a serious vulnerability that affects many Linux systems running on VMware's hypervisors. While the details of a practical exploit are not yet known, proactive patching and mitigation can significantly reduce the risk posed by this vulnerability. It is crucial for system administrators to keep their software updated, ensure that virtual machines are using the latest drivers and monitor for any suspicious network traffic that could potentially trigger harmful use-after-free scenarios.

Timeline

Published on: 08/16/2023 19:15:00 UTC
Last modified on: 09/18/2023 13:15:00 UTC