CVE-2023-0179: Linux Kernel Privilege Escalation Vulnerability

Security researcher Davide Ornaghi has discovered a new privilege escalation vulnerability in the Linux kernel that could allow a local attacker to execute code on the affected systems with elevated privileges. Also, Davide released the PoC and write-up.

Tracked as CVE-2023-0179, the flaw has been described as a stack-based buffer overflow in the Netfilter subsystem. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to gain elevated privileges as root.

Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network and prohibiting packets from reaching sensitive locations within a network[1].

“The vulnerability consists of a stack buffer overflow due to an integer underflow vulnerability inside the nft_payload_copy_vlan function, which is invoked with nft_payload expressions as long as a VLAN tag is present in the current skb.”

CVE-2023-0179 affects Linux kernel 6.2.0-rc1. The exploitation could allow the leakage of both stack and heap addresses
and, potentially, a Local Privilege Escalation to the root user via arbitrary code execution.

At present, Davide has proposed the patch and issued mitigating the bug. If you are unable to patch this bug, disabling unprivileged user namespaces will prevent exploitation:

sysctl -w kernel.unprivileged_userns_clone = 0

It’s recommended that users update Linux servers immediately and apply the patches for distros as soon as they are available. They’re also recommended to allow only trusted users to access local systems and always monitor affected systems.