CVE-2023-1076
📋 TL;DR
This vulnerability in the Linux kernel incorrectly sets tun/tap socket UIDs to 0 (root) due to type confusion during initialization. This can cause network filtering and routing decisions to treat these sockets as root-owned even when created by non-root users with CAP_NET_ADMIN capability, potentially allowing network filter bypass. Systems using tun/tap interfaces with non-root users having CAP_NET_ADMIN are affected.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Non-root users with CAP_NET_ADMIN could bypass network security filters and routing policies, potentially enabling unauthorized network access or data exfiltration.
Likely Case
Network filtering bypass in specific configurations where non-root users have CAP_NET_ADMIN capability and use tun/tap interfaces.
If Mitigated
Minimal impact if systems restrict CAP_NET_ADMIN to root only or don't use tun/tap interfaces.
🎯 Exploit Status
Exploitation requires a non-root user with CAP_NET_ADMIN capability to create tun/tap sockets. No public exploits known as of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel 6.2+ with commits 66b2c338adce and a096ccca6e50
Vendor Advisory: https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html
Restart Required: Yes
Instructions:
1. Update Linux kernel to version 6.2 or later. 2. Apply kernel patches from upstream commits. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Restrict CAP_NET_ADMIN
linuxRemove CAP_NET_ADMIN capability from non-root users to prevent exploitation
setcap -r cap_net_admin /path/to/program
capsh --drop=cap_net_admin -- -c 'command'
Disable tun/tap interfaces
linuxRemove tun/tap kernel module if not required
rmmod tun
echo 'blacklist tun' >> /etc/modprobe.d/blacklist.conf
🧯 If You Can't Patch
- Remove CAP_NET_ADMIN capability from all non-root users and processes
- Implement strict network filtering rules to monitor and restrict tun/tap interface usage
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if non-root users have CAP_NET_ADMIN: uname -r && getcap -r / 2>/dev/null | grep cap_net_adminCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is 6.2+ and check for applied patches: uname -r && grep -q '66b2c338adce\|a096ccca6e50' /proc/version📡 Detection & Monitoring
Log Indicators:
- Audit logs showing non-root users creating tun/tap devices
- System logs with tun/tap interface creation by non-root UIDs
Network Indicators:
- Unexpected network traffic bypassing filters from tun/tap interfaces
- Network connections from unexpected UIDs
SIEM Query:
source=auditd (tun OR tap) AND uid!=0🔗 References
- https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=66b2c338adce580dfce2199591e65e2bab889cff
- https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=a096ccca6e503a5c575717ff8a36ace27510ab0a
- https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html
- https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=66b2c338adce580dfce2199591e65e2bab889cff
- https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=a096ccca6e503a5c575717ff8a36ace27510ab0a
- https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html
