If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Recently information about a failure was released that was detected in the IPv6 stack of the Linux kernel listed under CVE-2023-6200 and evaluated with a score of 7.5 on the CVSS scale, this vulnerability appeared from the 6.6 branch of the Linux Kernel and poses a rather serious problem, since it allows attackers to remotely execute code.
And it is mentioned that this bug detected in the network stack of the Linux kernel that, under certain conditions, it could allow an attacker on the local network to execute malicious code. This vulnerability is activated by sending a specially crafted ICMPv6 packet with a RA (Router Advertisement) message, which aims to advertise information about the router.
A race condition was found in the Linux kernel. Under certain conditions, an unauthenticated attacker on an adjacent network could send an ICMPv6 router advertising packet, causing arbitrary code execution. To trigger this issue, the attacker must be on the local network, IPV6, and the net.ipv6.conf parameter must be enabled...
It is mentioned that The origin of the problem lies in a race condition which occurs when the garbage collector processes obsolete fib6_info records, which which can result in access to a freed memory area (known as use after release). While the Internet protocol is essential for transferring data between nodes, there are other critical tasks that must be completed to ensure its reliable operation. These tasks include error reporting, router discovery, diagnostics, and other functions necessary for effective IP operation in IPv6 environments. The Internet Control Message Protocol (ICMPv6) plays a crucial role in managing these functions in IPv6.
ICMPv6 provides a framework for multicast listener discovery (MLD) and Neighbor Discovery. These functions are responsible for communicating multicast group membership information (equivalent to the IGMP protocol in IPv4) and resolving addresses (a task performed by ARP in IPv4).
When receiving an ICMPv6 packet with a router advertisement message (RA), the network stack invokes the ndisc_router_discovery() function. If the RA message contains information about the lifetime of the route, this function calls fib6_set_expires() and populates the gc_link structure. Subsequently, to clean up obsolete entries, the fib6_clean_expires() function is used, which separates the entry in gc_link and frees the memory used by the fib6_info structure. However, there is a moment when memory from the fib6_info structure has already been released, but the link to it is still present in the gc_link structure.
It is important to note that this vulnerability can only be exploited from the local network and affects systems with IPv6 support enabled and the sysctl "net.ipv6.conf" parameter. .accept_ra» active. Although on systems such as RHEL and Ubuntu, this parameter is disabled by default for external network interfaces, it is enabled for the loopback interface, potentially allowing an attack from the same system.
Finally it is worth mentioning that the vulnerability was fixed in Linux Kernel versions 6.6.9 and 6.7 and among the affected distributions that include packages with the 6.6 kernel, we can highlight Arch Linux, Gentoo, Fedora, Slackware, OpenMandriva and Manjaro.
In addition, it is mentioned that in other distributions, the buggy change may be a backport with packages with older kernel branches. For example, on Debian the package with kernel 6.5.13 is vulnerable, while the problematic change appeared in the 6.6 branch). As a security solution, you can disable IPv6 or set the “net.ipv6.conf.*.accept_ra” parameters to 0.
For interested in being able to consult the status of the repair of vulnerability in distributions can be evaluated on these pages: Debian, Ubuntu, SUSE, RHEL, Fedora, Arch Linux, Gentoo y Slackware. Last but not least, as always, we usually make the recommendation to users and system administrators, take the necessary precautions and perform the corresponding updates.
If you are interested in knowing more about it, you can check the details in the following link.