Critical Alert: CVE-2023-6200 Exploits Linux Kernel with Code Execution Risk
A new vulnerability has been found in the Linux Kernel’s IPv6 implementation. Identified as CVE-2023-6200, with a considerable CVSS score of 7.5, this flaw exposes a critical race condition within the handling of ICMPv6 packets, a key component of the IPv6 protocol.
To understand CVE-2023-6200, one must first grasp the role of ICMPv6 in IPv6 networks. ICMPv6, the successor to ICMP in IPv4, is crucial for error reporting and diagnostics. It operates similarly to its IPv4 counterpart, generating error messages like “destination unreachable” and informational messages such as echo requests and replies. However, ICMPv6 stands apart in IPv6 by using neighbor discovery with multicast addresses, as opposed to IPv4’s ARP with broadcast addresses.
The identified race condition occurs within the Linux Kernel when processing ICMPv6 router advertisement packets. Specifically, the function `ndisc_router_discovery()` is called upon receipt of such a packet. If the packet includes route information with a lifetime, `fib6_set_expires()` links it into the `gc_link`. The issue arises when `fib6_clean_expires()` unlinks the expired `gc_link` within the `struct fib6_info`, potentially leading to a Use-After-Free (UAF) situation. This can happen when other `struct fib6_info` attempts to link/unlink into the same `gc_link` or when the `gc_link` is traversed.
“Under certain conditions, an unauthenticated attacker from an adjacent network could send an ICMPv6 router advertisement packet, causing arbitrary code execution,” reads the security advisory.
For an attacker to exploit this vulnerability, they must be on the local network and IPV6 must be enabled with the parameter `net.ipv6.conf.[NIC].accept_ra`. By default, many distributions, including Red Hat Enterprise Linux, have `net.ipv6.conf.[NIC].accept_ra` disabled, limiting the flaw’s exploitability to local network attacks.
The remedy for CVE-2023-6200 lies in updating to Linux kernel version 6.7-rc7, which contains the necessary fix. Users can also mitigate the risk by ensuring the `accept_ra` parameter is disabled, which can be verified via commands like `cat /proc/sys/net/ipv6/conf/default/accept_ra` or `/proc/sys/net/ipv6/conf/eth0/accept_ra`. For systems not utilizing IPV6, a complete disablement is advised, with detailed instructions available on Red Hat’s solution page.
