A critical vulnerability, CVE-2023-4623, has been identified in the Linux kernel's traffic control subsystem—specifically in the HFSC qdisc (Hierarchical Fair Service Curve) scheduler, which you’ll find under net/sched/sch_hfsc. This bug affects systems with HFSC queueing discipline enabled. Local attackers can exploit this to escalate their privileges, potentially compromising entire Linux machines.
Below, I'll explain how this vulnerability works, provide a code snippet to show the bug, discuss exploitation details, and link to key resources. This article is written in straightforward language for better clarity.
What is the HFSC qdisc?
HFSC (Hierarchical Fair Service Curve) is a Linux kernel feature for advanced traffic shaping. It lets you create "classes" and "subclasses" to manage bandwidth for different categories of network traffic.
What is the Vulnerability? (CVE-2023-4623)
The vulnerability is a use-after-free bug. In simple terms: the kernel accidentally keeps using memory for a traffic control class after it has been freed ("deleted"). This is dangerous—attackers can exploit this kind of bug to run code as the root user.
How Does it Happen?
- If you create a class in HFSC that uses a *link-sharing curve* (HFSC_FSC set), but its *parent* class does not have a link-sharing curve, the kernel tries to insert info into the parent via vttree_insert().
- Later, when cleaning up in update_vf(), the kernel forgets to *remove* that info using vttree_remove().
- This means a pointer to the class lingers after the class is already deleted—leading to a dangling pointer and use-after-free.
Here's a simplified look at the vulnerable Linux code (from net/sched/sch_hfsc.c)
// Vulnerable flow (simplified example)
if (cl->cl_parent->cl_flags & HFSC_FSC) {
vttree_insert(&cl->cl_parent->cl_vfq, &cl->cl_vf);
}
... // later in code, when updating/removing
// Here, vttree_remove is NOT called on parent without link-sharing
if (cl->cl_parent->cl_flags & HFSC_FSC) {
vttree_remove(&cl->cl_parent->cl_vfq, &cl->cl_vf);
// But if parent doesn't have link-sharing, this is skipped
}
Result: When a class with HFSC_FSC is destroyed but its parent doesn’t have the flag, that pointer stays in the parent’s tree and can later be used after the memory is freed.
Why is this Dangerous?
- Use-After-Free: Attackers can manipulate the HFSC qdisc structure, freeing a class object while a pointer to it still exists.
- Local Privilege Escalation: A low-privilege user with access to traffic control (tc) interfaces can trigger and control the memory reuse, leading to controlling kernel memory, and possibly executing code as root.
- Affected Versions: *All Linux kernels before commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f are affected.*
Create HFSC Hierarchy
- Use tc to create parent and child classes with/without HFSC_FSC.
Gain Privileges
- Trigger code paths using that dangling pointer, controlling what happens next (sometimes leading to root shell).
*Note*: While this is the general idea, a full public exploit is not available at the time of writing, but variants could be developed by skilled attackers.
Recommendations
Patch immediately! The Linux maintainers fixed this bug in commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.
Update your system if you run a kernel version older than the fixed commit.
sudo apt update
sudo apt upgrade # Debian/Ubuntu
sudo dnf upgrade # Fedora/Red Hat
Key References
- Official Linux Kernel Commit - Fix for CVE-2023-4623
- CVE-2023-4623 detail at NIST NVD
- Linux Kernel source code (HFSC qdisc)
Conclusion
CVE-2023-4623 is a serious local privilege escalation flaw in a rarely-audited part of the kernel. Even if you don't use HFSC qdisc directly, the presence of the vulnerable code is enough for exploitation by a local attacker.
If you are responsible for Linux deployments:
Patch your systems, restrict unprivileged access to network queue configuration, and follow local security best practices!
Timeline
Published on: 09/06/2023 14:15:12 UTC
Last modified on: 10/29/2023 02:40:35 UTC