The recent discovery of a vulnerability in the Unbreakable Enterprise Kernel (UEK), a prominent feature of Oracle Linux, has raised concerns among system administrators and developers. Assigned as CVE-2023-22024, this vulnerability has the potential to crash the kernel, thereby impacting the system's availability. This long-read post aims to provide a comprehensive understanding of this security flaw, including code snippets, original references, and exploit details.
Background
UEK is a Linux kernel designed and built by Oracle, specifically tailored for enterprise workloads and offers additional security features not found in other distributions. Within UEK, the RDS (Reliable Datagram Sockets) module plays a critical role in providing low-latency, high-bandwidth communication services.
The RDS module in UEK has two setsockopt(2) options, RDS_CONN_RESET and RDS6_CONN_RESET. These options are not re-entrant, meaning that they cannot be safely called concurrently by multiple threads. A malicious local user with CAP_NET_ADMIN capabilities can exploit this vulnerability to crash the kernel, impairing the entire system's operation.
CVSS 3.1 Base Score & Vector
The Common Vulnerability Scoring System (CVSS) has assigned CVE-2023-22024 a base score of 5.5 out of 10, indicating a medium level of severity. The CVSS vector for this vulnerability is: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Exploit Details
To fully grasp the issue at hand, it is essential to understand the code snippet associated with this vulnerability. The following code sample demonstrates the setsockopt() options that are not re-entrant in UEK's RDS module:
static int rds_setsockopt(struct socket *sock, int level, int optname,
sockptr_t optval, unsigned int optlen)
{
struct rds_sock *rs = rds_sk_to_rs(sock->sk);
int ret;
if (level != SOL_RDS)
return -ENOPROTOOPT;
switch (optname) {
case RDS_CONN_RESET:
if (optlen != sizeof(int))
return -EINVAL;
ret = rds_conn_reset(rs, optval);
break;
case RDS6_CONN_RESET:
if (optlen != sizeof(int))
return -EINVAL;
ret = rds6_conn_reset(rs, optval);
break;
...
}
return ret;
}
As seen in the code snippet, the two setsockopt options, RDS_CONN_RESET and RDS6_CONN_RESET, share a similar structure and processing logic. However, they lack any form of synchronization mechanism to prevent multiple threads from concurrently invoking either of these options. This oversight can lead to race conditions and ultimately crash the kernel if exploited.
A possible way for an attacker to take advantage of this vulnerability would be to create multiple threads that continuously call rds_setsockopt() with the vulnerable options. Over time, this could cause a kernel crash, impacting the system's availability.
Original References
For further technical details about this security vulnerability and its impact, we recommend consulting the official CVE entry, right here. Additionally, Oracle's advisory on the matter provides valuable information and guidance on mitigation strategies and future patches, accessible here.
Conclusion
CVE-2023-22024 is a non-negligible security vulnerability that impacts Oracle's Unbreakable Enterprise Kernel by crashing the kernel due to non-reentrant RDS setsockopt options. System administrators and developers should closely monitor Oracle's advisories for patching instructions and mitigation strategies. In the meantime, restricting access to systems running UEK, particularly those with CAP_NET_ADMIN capabilities, can provide a quick and temporary solution to lessen the risks associated with this vulnerability.
Timeline
Published on: 09/20/2023 21:15:00 UTC
Last modified on: 09/25/2023 16:09:00 UTC