CVE-2023-4208: Use-After-Free Vulnerability in Linux Kernel's net/sched: cls_u32 Can Lead to Local Privilege Escalation

A vulnerability has been discovered in the Linux kernel's net/sched: cls_u32 component that allows attackers to exploit a use-after-free vulnerability, ultimately leading to local privilege escalation. This vulnerability is designated as CVE-2023-4208, and the Linux kernel community has proposed a fix for the issue.

Here's a relevant code snippet highlighting the problematic area

static int u32_change(struct net *net, struct sk_buff *in_skb,
                      struct nlmsghdr *n, char *if_name, void *fh,
                      const struct Qdisc *ops, unsigned long base)
{
    ...
    // Copy the entire filter
    newf = kmemdup(tp, sizeof(*newf), GFP_KERNEL);
    if (!newf)
        return -ENOBUFS;

    // Update params
    ret = u32_set_parms(net, tp, &f, newf, exts, if_name, base);
    if (ret)
        goto errout;

    ...
}

In this code snippet, the tcf_result struct is copied into the new instance of the filter through the u32_change() function. However, this leads to an issue when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path.

Exploit Details

The exploit takes advantage of the vulnerability to attain local privilege escalation. Here's a brief outline of the attack:

The u32_change() function is called on the existing malicious filter.

3. The vulnerable code fails to handle the tcf_result struct correctly, causing the referenced class' filter_cnt to decrease.

The class is now eligible for deletion, leading to a use-after-free situation.

5. The attacker leverages the improper memory management to escalate their privileges on the target system.

Original References

1. Link to report on Linux Kernel mailing list
2. Link to proposed fix for the vulnerability

Recommendation

To mitigate this vulnerability, it is recommended to upgrade your Linux kernel past commit 3044b16e7c6fe5d24b1cdbcf1bda9d92d1ebd81. This commit resolves the use-after-free vulnerability and prevents potential privilege escalation exploits.

In conclusion, users and system administrators must ensure they update their Linux kernel to the latest version to effectively address CVE-2023-4208. Regularly updating your system software helps maintain the integrity and security of your environment.

Timeline

Published on: 09/06/2023 14:15:11 UTC
Last modified on: 09/11/2023 18:12:56 UTC