Information has been disclosed about the vulnerability CVE-2023-6200) in the network stack of the Linux kernel, which, under certain circumstances, allows an attacker from a local network to achieve the execution of his code by sending a specially designed ICMPv6 packet with an RA (Router Advertisement) message intended to advertise information about the router.
The vulnerability can only be exploited from the local network and appears on systems with IPv6 support enabled and the sysctl parameter βnet.ipv6.conf.<network_interface_name>.accept_raβ active (can be checked with the command βsysctl net.ipv6.conf | grep accept_raβ) , which is disabled by default in RHEL and Ubuntu for external network interfaces, but enabled for the loopback interface, which allows an attack from the same system.
The vulnerability is caused by a race condition when the garbage collector processes stale fib6_info records, which can lead to access to an already freed memory area (use-after-free). When receiving an ICMPv6 packet with a router advertisement message (RA, Router Advertisement), the network stack calls the ndisc_router_discovery() function, which, if the RA message contains information about the route lifetime, calls the fib6_set_expires() function and fills the gc_link structure. To clean up obsolete entries, use the fib6_clean_expires() function, which detaches the entry in gc_link and clears the memory used by the fib6_info structure. In this case, there is a certain moment when the memory for the fib6_info structure has already been freed, but the link to it continues to be in the gc_link structure.
The vulnerability appeared starting from branch 6.6 and was fixed in versions 6.6.9 and 6.7. The status of fixing the vulnerability in distributions can be assessed on these pages: Debian, Ubuntu, SUSE, RHEL, Fedora, Arch Linux, Gentoo, Slackware. Among the distributions that ship packages with the 6.6 kernel, we can note Arch Linux, Gentoo, Fedora, Slackware, OpenMandriva and Manjaro; in other distributions, it is possible that the change with an error is backported into packages with older kernel branches (for example, in Debian it is mentioned that the package with kernel 6.5.13 is vulnerable, while the problematic change appeared in the 6.6 branch). As a security workaround, you can disable IPv6 or set the βnet.ipv0.conf.*.accept_raβ parameters to 6.
Source: opennet.ru