A serious flaw, tracked as CVE-2023-4128, was found in the Linux Kernel's networking subsystem, specifically in the net/sched/cls_fw.c and associated classifiers like cls_fw, cls_u32, and cls_route. If you’re running a Linux system, it’s important to know what this bug means, how attackers can use it to escalate privileges, and what you can do about it.
What is CVE-2023-4128?
This vulnerability is a use-after-free bug. It exists because of incorrect handling of filter objects in the traffic control classifier modules of the Linux kernel.
In a nutshell:
- A "use-after-free" happens when software continues to use a chunk of memory after it has been released (freed).
- In the case of CVE-2023-4128, when filters within certain network classifiers are manipulated, old memory is mishandled, leading to the kernel accidentally exposing sensitive data or letting an attacker escalate privileges.
Most modern Linux distributions include these modules by default.
Severity: HIGH — Local attackers (those with shell/account access) can abuse this to gain kernel-level access.
Technical Details
The flaw sits in how the kernel’s traffic classifier code manages the lifecycle of filter objects. For example, when updating or deleting rules in the traffic control system, the kernel fails to safely handle filter objects, leading to a *use-after-free* condition.
Here’s a simplified (paraphrased) version of what happened
// In net/sched/cls_fw.c:
static int fw_delete(struct tcf_proto *tp, unsigned long arg)
{
struct fw_filter *f = (struct fw_filter *) arg;
// ...some logic...
kfree(f); // Filter is freed, but pointers may still reference 'f'!
// Later, another function tries to use that 'f' pointer...
}
What goes wrong:
After kfree(f), the pointer f shouldn’t be used anymore, but there are code paths where operations on f still happen, creating a race condition where an attacker can control or read freed memory buffer contents.
In practice:
- Attackers can carefully manage filter setups and deletions to trigger the bug, leaking kernel memory or writing their own data back, yielding escalated privileges.
Prepare the System:
The attacker needs the CAP_NET_ADMIN capability. This can sometimes be achieved by tricking suid binaries, Linux containers, or unprivileged user namespaces (if enabled).
Spray and Reuse:
The attacker juggles filter entries, adding and deleting them, causing the target filter object to be freed and possibly repurposed by user data.
Simple Proof-of-Concept (PoC) Flow
// Pseudo-flow: not a ready-to-run exploit
// 1. Setup filters
for (int i = ; i < 100; i++) {
add_filter(i, ...);
}
// 2. Race deletion
for (int i = ; i < 100; i++) {
delete_filter(i);
}
// 3. Spray controlled memory (allocate objects in freed space)
// 4. Trigger kernel code path to use-after-free
Note: The real implementation involves triggering precise conditions. For a full working PoC, see the links below.
Patch and Mitigations
Patched Kernels:
- Linux mainline commit: [6e8ab1ec1a29 (“net/sched: cls_fw, u32, route: check for the head of filter chain appropriately”)][mainline-patch]
References
- Red Hat Security Bulletin — CVE-2023-4128
- Linux Kernel Patch Commit (mainline)
- Security Focus — CVE-2023-4128
- oss-security Mailing List Announcement
Should I Worry?
If you run Linux — especially in multi-user environments or with exposed containers — YES, you must ensure your kernel is updated! Privilege escalation flaws like this are prized by attackers.
Tip: Check your kernel version
uname -r
…and compare with your OS vendor’s advisories.
Conclusion
CVE-2023-4128 is a powerful flaw in the Linux kernel’s traffic control code leading to local root. Exploit code may be available in the wild, so patch as soon as possible and keep an eye on systems handling public or multi-user access.
Timeline
Published on: 08/10/2023 17:15:00 UTC
Last modified on: 10/11/2023 19:15:00 UTC