CVE-2023-1281 & CVE-2023-1829: Linux Kernel Privilege Escalation Vulnerabilities
Two significant vulnerabilities in the Linux kernel, CVE-2023-1281, and CVE-2023-1829, have been identified, with the potential to allow local attackers to escalate their privileges to root.
CVE-2023-1281 (CVSS score of 7.8): The Race Condition to Privilege Escalation
Affecting Linux Kernel versions since 4.14, CVE-2023-1281 is a race condition vulnerability leading to a use-after-free when updating imperfect hash filters. The bug arises from the imperfect hash area being updated while packets are traversing. As a result, a use-after-free occurs when ‘tcf_exts_exec()’ is called with the destroyed tcf_ext. Attackers exploiting this vulnerability can elevate their privileges to root.
Mitigating CVE-2023-1281 requires disabling unprivileged user namespaces, as attackers need CAP_NET_ADMIN to create or change classifiers. The Linux kernel maintainers have patched this vulnerability in the git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.
CVE-2023-1829 (CVSS score of 7.8): A Perfect Storm for Privilege Escalation
Present since the beginning of the git history (2.6.12-rc2) and becoming exploitable after net/sched netlink interface exposure to user namespaces in version 3.8, CVE-2023-1829 is a use-after-free vulnerability. It occurs when deleting a perfect hash filter in the tcindex_delete() function.
The tcindex_delete function fails to properly deactivate filters in the case of perfect hashes. Consequently, the underlying structure is double-freed, providing an opportunity for local attackers to escalate their privileges to root.
To mitigate CVE-2023-1829, kernel maintainers have decided to remove the entire tcindex classifier due to the lack of known users and a high number of issues within the code. Disabling unprivileged user namespaces can also help, as CAP_NET_ADMIN is required for attackers to create or change classifiers.