CVE-2023-49062
📋 TL;DR
Katran, a high-performance layer 4 load balancer, could leak uninitialized kernel memory in IPv4 headers due to missing initialization of the Identification field after bpf_xdp_adjust_head calls. This affects IPv4 encapsulation and ICMP Too Big packet generation, potentially exposing sensitive kernel data. All Katran deployments prior to commit 6a03106ac1eab39d0303662963589ecb2374c97f are vulnerable.
💻 Affected Systems
- Katran
📦 What is this software?
Katran by Facebook
⚠️ Risk & Real-World Impact
Worst Case
Attackers could extract sensitive kernel memory contents including cryptographic keys, process information, or other privileged data, potentially enabling further system compromise.
Likely Case
Information disclosure of kernel memory contents that could aid attackers in understanding system state or preparing more sophisticated attacks.
If Mitigated
Limited information leakage with minimal impact if proper network segmentation and monitoring are in place.
🎯 Exploit Status
Exploitation requires sending specific IPv4 or ICMP packets to trigger the vulnerable code path. No public exploit code has been disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 6a03106ac1eab39d0303662963589ecb2374c97f
Vendor Advisory: https://www.facebook.com/security/advisories/cve-2023-49062
Restart Required: Yes
Instructions:
1. Update Katran to commit 6a03106ac1eab39d0303662963589ecb2374c97f or later. 2. Recompile and redeploy the Katran binary. 3. Restart Katran services to apply the fix.
🔧 Temporary Workarounds
Disable IPv4 encapsulation
linuxPrevent triggering of the vulnerable code path by disabling IPv4 encapsulation features if not required.
# Configure Katran to disable IPv4 encapsulation features
# Check Katran configuration for encapsulation settings
Rate limit ICMP Too Big packets
linuxImplement network-level rate limiting for ICMP Too Big packets to reduce exposure.
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -m limit --limit 10/minute -j ACCEPT
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Katran instances from untrusted networks
- Deploy network monitoring to detect unusual ICMP or IPv4 encapsulation traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check Katran version/git commit hash. If prior to 6a03106ac1eab39d0303662963589ecb2374c97f, system is vulnerable.Check Version:
katran --version || check git commit hash in deploymentVerify Fix Applied:
Verify Katran is running with commit 6a03106ac1eab39d0303662963589ecb2374c97f or later. Test IPv4 encapsulation and ICMP Too Big packet handling.📡 Detection & Monitoring
Log Indicators:
- Unusual ICMP Too Big packet generation logs
- IPv4 encapsulation activity spikes
Network Indicators:
- Excessive ICMP fragmentation-needed packets to Katran instances
- Unusual IPv4 encapsulation traffic patterns
SIEM Query:
source="katran.log" AND ("ICMP Too Big" OR "fragmentation-needed" OR "encapsulation")🔗 References
- https://github.com/facebookincubator/katran/commit/6a03106ac1eab39d0303662963589ecb2374c97f
- https://www.facebook.com/security/advisories/cve-2023-49062
- https://github.com/facebookincubator/katran/commit/6a03106ac1eab39d0303662963589ecb2374c97f
- https://www.facebook.com/security/advisories/cve-2023-49062
