CVE-2023-7192 - Memory Leak Issue in Linux Kernel's ctnetlink_create_conntrack Function Allows Local Attackers to Initiate Denial of Service (DoS) Attack

A recently discovered vulnerability in the Linux Kernel (CVE-2023-7192) has been identified as a memory leak issue in the ctnetlink_create_conntrack function. The flaw could potentially allow a local attacker with CAP_NET_ADMIN privileges to launch a denial of service (DoS) attack due to a refcount overflow. In this post, we will delve deeper into the root cause of the problem, present the code snippet where the issue is located, and provide links to the original references and exploit details.

Background

The affected function belongs to the net/netfilter/nf_conntrack_netlink.c file in the Linux Kernel, which is responsible for implementing the user-space to kernel-space communication for connection tracking. Connection tracking is an essential element of Linux-based systems, as it keeps track of the state and metadata of network connections in the Netfilter framework.

Problem Description

The memory leak issue is caused by the improper handling of reference counters in the ctnetlink_create_conntrack function. When the function is called to establish a new connection tracking object, the reference counter is incremented, but in certain circumstances, such as error conditions, it is not properly decremented, leading to a continuously increasing reference counter value, eventually causing a refcount overflow.

Code Snippet

The problematic code snippet can be found in the ctnetlink_create_conntrack function within the net/netfilter/nf_conntrack_netlink.c file:

static struct nf_conntrack *ctnetlink_create_conntrack(...)
{
    ...
    ct = nf_conntrack_alloc(...);
    if (IS_ERR(ct))
        return ERR_CAST(ct);
    nf_conntrack_get(ct); // Increment the reference counter
    ...
    if (err < )
        goto err_free; // Do not decrement the reference counter
    ...
    return ct;

err_free:
    nf_conntrack_put(ct); // Decrement the reference counter
    ...
}

As seen in the code above, the nf_conntrack_get function is used to increment the reference counter for the connection tracking object 'ct'. However, if an error occurs and the err_free error handling path is taken, the reference counter for 'ct' is not properly decremented with a corresponding call to nf_conntrack_put, leading to a memory leak.

Exploit Details

An attacker that has local access to a Linux machine and CAP_NET_ADMIN privileges can exploit this vulnerability by continuously invoking the ctnetlink_create_conntrack function and deliberately provoking error conditions. This causes reference counters to continue increasing to the point of a refcount overflow, eventually resulting in a DoS attack.

Original References

1. The public disclosure of this vulnerability can be found in the Linux Kernel Mailing List (LKML) at this address: https://lkml.org/lkml/2023/2/32/
2. More information on the ctnetlink_create_conntrack function and its related components can be found within the Linux Kernel documentation: https://www.kernel.org/doc/html/latest/networking/nf_conntrack.html
3. The CVE identifier for this vulnerability is CVE-2023-7192, and the full details can be viewed at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7192

Conclusion

CVE-2023-7192 is a critical memory leak issue in the Linux Kernel's ctnetlink_create_conntrack function, posing a significant risk of DoS attacks by local users with CAP_NET_ADMIN privileges. It is essential to monitor updates from the Linux Kernel development team and apply patches in a timely manner once they become available, to ensure systems remain secure and resistant to exploitation of this vulnerability.

Timeline

Published on: 01/02/2024 19:15:11 UTC
Last modified on: 03/19/2024 23:15:08 UTC