CVE-2023-1390 Overview
A remote denial of service vulnerability was found in the Linux kernel's TIPC (Transparent Inter-Process Communication) kernel module. The while loop in tipc_link_xmit() hits an unknown state while attempting to parse SKBs (socket buffers), which are not in the queue. Sending two small UDP packets to a system with a UDP bearer results in the CPU utilization for the system to instantly spike to 100%, causing a denial of service condition.
Critical Impact
Remote attackers can cause complete system unavailability by sending two small UDP packets to systems with TIPC UDP bearer enabled, causing immediate 100% CPU utilization.
Affected Products
- Linux Kernel (multiple versions)
- Linux Kernel 5.11 rc1, rc2, rc3
- NetApp products using affected Linux Kernel versions
Discovery Timeline
- 2023-03-16 - CVE-2023-1390 published to NVD
- 2025-04-23 - Last updated in NVD database
Technical Details for CVE-2023-1390
Vulnerability Analysis
This denial of service vulnerability exists in the Linux kernel's TIPC protocol implementation, specifically within the tipc_link_xmit() function in net/tipc/link.c. The vulnerability stems from improper handling of empty or malformed packet queues, which can trigger an infinite loop condition when processing network traffic.
When the TIPC module receives specially crafted UDP packets, the function attempts to access message headers from an empty SKB queue without first validating that packets exist in the queue. This causes the while loop to enter an unknown state, resulting in CPU exhaustion. The attack requires network access and can be executed remotely without authentication, making it particularly dangerous for systems exposed to untrusted networks with TIPC UDP bearers configured.
Root Cause
The root cause is a missing null check and packet count validation in tipc_link_xmit(). The function originally called buf_msg(skb_peek(list)) and msg_importance(hdr) before verifying that the packet list contained any entries. When the list is empty, skb_peek() returns NULL, leading to undefined behavior when the code attempts to dereference the message header. The while loop then enters an unexpected state attempting to process a non-existent queue.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by:
- Identifying a target system with TIPC module loaded and UDP bearer configured
- Sending two small malformed UDP packets to the target
- Triggering the infinite loop condition in tipc_link_xmit()
- Causing immediate 100% CPU utilization and system unavailability
The following patch demonstrates the fix implemented in the Linux kernel:
int tipc_link_xmit(struct tipc_link *l, struct sk_buff_head *list,
struct sk_buff_head *xmitq)
{
- struct tipc_msg *hdr = buf_msg(skb_peek(list));
struct sk_buff_head *backlogq = &l->backlogq;
struct sk_buff_head *transmq = &l->transmq;
struct sk_buff *skb, *_skb;
u16 bc_ack = l->bc_rcvlink->rcv_nxt - 1;
u16 ack = l->rcv_nxt - 1;
u16 seqno = l->snd_nxt;
int pkt_cnt = skb_queue_len(list);
- int imp = msg_importance(hdr);
unsigned int mss = tipc_link_mss(l);
unsigned int cwin = l->window;
unsigned int mtu = l->mtu;
+ struct tipc_msg *hdr;
bool new_bundle;
int rc = 0;
+ int imp;
+
+ if (pkt_cnt <= 0)
+ return 0;
+ hdr = buf_msg(skb_peek(list));
if (unlikely(msg_size(hdr) > mtu)) {
pr_warn("Too large msg, purging xmit list %d %d %d %d %d!\n",
skb_queue_len(list), msg_user(hdr),
Source: Linux Kernel GitHub Commit
Detection Methods for CVE-2023-1390
Indicators of Compromise
- Sudden and sustained 100% CPU utilization on systems running Linux with TIPC module
- Unusual UDP traffic patterns targeting TIPC ports (default 6118)
- System unresponsiveness or kernel soft lockups related to TIPC processing
- Log entries indicating TIPC module errors or abnormal packet processing
Detection Strategies
- Monitor for abnormal CPU usage spikes correlated with network activity on TIPC-enabled systems
- Implement network intrusion detection rules for malformed TIPC UDP packets
- Deploy kernel-level monitoring to detect infinite loops or soft lockups in TIPC code paths
- Use SentinelOne's kernel-level visibility to detect anomalous TIPC module behavior
Monitoring Recommendations
- Enable kernel auditing for TIPC module operations and socket buffer handling
- Configure alerting thresholds for CPU utilization anomalies on critical infrastructure
- Monitor network traffic for suspicious UDP packets targeting TIPC services
- Implement SentinelOne Singularity platform for real-time kernel behavior analysis and threat detection
How to Mitigate CVE-2023-1390
Immediate Actions Required
- Update Linux kernel to a patched version containing commit b77413446408fdd256599daf00d5be72b5f3e7c6
- Disable TIPC kernel module if not required: modprobe -r tipc
- Implement firewall rules to restrict access to TIPC UDP ports from untrusted networks
- Monitor systems for signs of exploitation while patching is in progress
Patch Information
The vulnerability has been addressed through Linux kernel commit b77413446408fdd256599daf00d5be72b5f3e7c6. This patch adds a validation check to ensure the packet queue is not empty before attempting to access message headers. The fix adds if (pkt_cnt <= 0) return 0; at the beginning of tipc_link_xmit() and moves the header pointer assignment after this check. System administrators should update to kernel versions containing this fix or apply vendor-specific patches. NetApp has also released an advisory at their Security Advisory Portal for affected products.
Workarounds
- Disable TIPC module if not required for operations: echo "blacklist tipc" >> /etc/modprobe.d/blacklist.conf
- Implement network segmentation to limit exposure of TIPC services to trusted networks only
- Configure iptables or nftables rules to block UDP traffic to TIPC ports from external sources
- Consider using SentinelOne's network protection capabilities to detect and block exploitation attempts
# Configuration example
# Disable TIPC module loading
echo "blacklist tipc" >> /etc/modprobe.d/blacklist.conf
echo "install tipc /bin/false" >> /etc/modprobe.d/blacklist.conf
# Remove currently loaded TIPC module
modprobe -r tipc
# Block TIPC UDP traffic from external networks (adjust interface as needed)
iptables -A INPUT -p udp --dport 6118 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
