Linux Kernel Vulnerabilities Expose Systems to Privilege Escalation: Flaws Detailed and Exploit Code Released

by do son · August 13, 2024

CVE-2024-0646 - Linux Kernel Vulnerabilities

Security researchers have disclosed the technical details and proof-of-concept (PoC) exploit codes for three vulnerabilities (CVE-2023-4206, CVE-2023-4207, and CVE-2023-4208) in the Linux kernel, impacting versions v3.18-rc1 to v6.5-rc4. These “use-after-free” vulnerabilities within the net/sched component could allow local privilege escalation, enabling attackers to gain unauthorized control over affected systems. The vulnerabilities have been given a CVSS score of 7.8, indicating their high severity.

The three vulnerabilities share a common flaw in the Linux kernel’s network scheduling components, specifically within the net/sched subsystem. This critical subsystem is responsible for traffic classification and queuing, making it an essential part of the Linux networking stack. The vulnerabilities stem from the mishandling of filter updates, which can lead to a use-after-free condition—a type of memory corruption that occurs when a program continues to use memory after it has been freed.

The vulnerabilities arise from improper handling of the tcf_result structure during filter updates in the cls_route, cls_fw, and cls_u32 components. This can result in a use-after-free scenario, potentially leading to system crashes or privilege escalation:

CVE-2023-4206: Use-After-Free in cls_route Component
CVE-2023-4207: Use-After-Free in cls_fw Component
CVE-2023-4208: Use-After-Free in cls_u32 Component

In a concerning development, the security researcher who discovered these flaws has also published the technical details and proof-of-concept (PoC) exploit code on GitHub [1,2,3]. While this disclosure contributes to transparency and awareness, it also increases the urgency for affected organizations to implement mitigations and prepare for potential exploitation attempts.

To mitigate the risks posed by these vulnerabilities, administrators are advised to blacklist the cls_u32 module to prevent it from loading automatically. This precautionary step can help protect systems from potential exploitation until a more permanent fix is applied.