We have disclosed information about a vulnerability (CVE-2023-6200) in the Linux kernel network stack, which, under certain circumstances, allows an attacker from a local network to execute their code by sending a specially designed ICMPv6 packet with an RA (Router Advertisement) message designed to announce information about the router.
The vulnerability can only be exploited from a local network and is found on systems with IPv6 enabled and the active sysctl parameter "net. ipv6. conf.<network_interface name>.accept_ra" (can be checked with the command "sysctl net. ipv6. conf| grep accept_ra"), which is disabled by default in RHEL and Ubuntu for external network interfaces, but enabled for the loopback interface, which allows an attack from the same system.
The vulnerability is caused by a race condition when the garbage collector processes outdated fib6_info records, which can lead to access to an already freed memory area (use-after-free). When receiving an ICMPv6 packet with a router announcement message (RA, Router Advertisement), the network stack calls the ndisc_router_discovery () function, which, if there is data about the route lifetime in the RA message, calls the fib6_set_expires() function and fills in the gc_link structure. To clean up stale records, the fib6_clean_expires () function is used, which detaches the gc_link entry and clears the memory used by the fib6_info structure. At the same time, there is a certain moment when the memory for the fib6_info structure has already been released, but the reference to it continues to be in the gc_link structure.
The vulnerability appears starting from the 6.6 branch and is fixed in versions 6.6.9 and 6.7. Among the distributions that ship packages with the 6.6 kernel, Arch Linux, Gentoo, Fedora, Slackware, OpenMandriva, and Manjaro can be mentioned. In other distributions, it is possible to backport changes with an error to packages with older kernel branches (for example, in Debian mentions that a package with the 6.5.13 kernel is vulnerable, while the problematic change appeared in the 6.6 branch). As a security workaround, you can disable IPv6 or set the "net.ipv6.conf.*.accept_ra"parameters to 0.
The vulnerability can only be exploited from a local network and is found on systems with IPv6 enabled and the active sysctl parameter "net. ipv6. conf.<network_interface name>.accept_ra" (can be checked with the command "sysctl net. ipv6. conf| grep accept_ra"), which is disabled by default in RHEL and Ubuntu for external network interfaces, but enabled for the loopback interface, which allows an attack from the same system.
The vulnerability is caused by a race condition when the garbage collector processes outdated fib6_info records, which can lead to access to an already freed memory area (use-after-free). When receiving an ICMPv6 packet with a router announcement message (RA, Router Advertisement), the network stack calls the ndisc_router_discovery () function, which, if there is data about the route lifetime in the RA message, calls the fib6_set_expires() function and fills in the gc_link structure. To clean up stale records, the fib6_clean_expires () function is used, which detaches the gc_link entry and clears the memory used by the fib6_info structure. At the same time, there is a certain moment when the memory for the fib6_info structure has already been released, but the reference to it continues to be in the gc_link structure.
The vulnerability appears starting from the 6.6 branch and is fixed in versions 6.6.9 and 6.7. Among the distributions that ship packages with the 6.6 kernel, Arch Linux, Gentoo, Fedora, Slackware, OpenMandriva, and Manjaro can be mentioned. In other distributions, it is possible to backport changes with an error to packages with older kernel branches (for example, in Debian mentions that a package with the 6.5.13 kernel is vulnerable, while the problematic change appeared in the 6.6 branch). As a security workaround, you can disable IPv6 or set the "net.ipv6.conf.*.accept_ra"parameters to 0.
