CVE-2023-5178 – Arbitrary Code Execution: Linux NVMe-oF/TCP Driver’s Alarming Flaw
What is NVMe-oF/TCP?
NVMe over Fabrics (NVMe-oF) is a protocol that extends the parallelism and efficiencies of the NVMe block protocol over network fabrics such as RDMA, Fibre Channel, and TCP. SPDK provides both a user space NVMe-oF target and initiator that extends the software efficiencies of the rest of the SPDK stack over the network.
What is the vulnerability?
The CVE-2023-5178 (CVSS score of 8.8) vulnerability is a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel. This bug can be exploited by attackers to cause a use-after-free (UAF) condition. A UAF condition occurs when an attacker is able to access memory that has already been freed. This can lead to a variety of security vulnerabilities, including arbitrary code execution.
Located in drivers/nvme/target/tcp.c, the vulnerability specifically resides in the function nvmet_tcp_free_crypto. It’s a ticking time bomb for any Linux machine operating with NVMe-oF/TCP enabled, specifically those running Linux version 5.15 and above.
“A use-after-free vulnerability was found in drivers/nvme/target/tcp.cinnvmet_tcp_free_crypto` due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation in case that the attacker already has local privileges,” RedHat wrote.
Awareness of the flaw is growing, especially given the release of a proof-of-concept exploit code. Developers and security experts are racing against the clock to patch this vulnerability, and an official fix is in the pipeline.
What can you do to protect yourself?
For those managing or operating Linux systems, especially those with NVMe-oF/TCP enabled, immediate steps should be taken:
- Stay Informed: Keep abreast of announcements regarding the official patch. Once it’s released, apply it without delay.
- Monitor Activity: Be extra vigilant in monitoring system and network activity for any unusual or unexpected behaviors.
- Limit Access: Restrict NVMe-oF/TCP server access to trusted entities only, minimizing potential exposure.
