CVE-2023-35788 Overview
CVE-2023-35788 is a critical out-of-bounds write vulnerability discovered in the Linux kernel's flower traffic classifier (cls_flower). The flaw exists in the fl_set_geneve_opt function within net/sched/cls_flower.c, where improper bounds checking when processing TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets allows an attacker to write beyond allocated memory boundaries. This vulnerability affects Linux kernel versions prior to 6.3.7 and can lead to denial of service or privilege escalation on vulnerable systems.
Critical Impact
Local attackers with limited privileges can exploit this out-of-bounds write vulnerability to crash the system (denial of service) or escalate their privileges to gain root access on affected Linux systems.
Affected Products
- Linux Kernel (versions before 6.3.7)
- Debian Linux (versions 10.0, 11.0, 12.0)
- Canonical Ubuntu Linux (14.04 ESM, 16.04 ESM, 18.04 LTS, 20.04 LTS, 22.04 LTS)
- NetApp H300S, H500S, H700S, H410S, H410C (and associated firmware)
Discovery Timeline
- 2023-06-16 - CVE-2023-35788 published to NVD
- 2025-05-05 - Last updated in NVD database
Technical Details for CVE-2023-35788
Vulnerability Analysis
The vulnerability resides in the flower classifier module (cls_flower), a component of the Linux kernel's Traffic Control (TC) subsystem used for packet classification and filtering. The fl_set_geneve_opt function is responsible for processing GENEVE (Generic Network Virtualization Encapsulation) tunnel options when configuring flower classifier rules.
The root cause is insufficient validation of user-supplied data when handling TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. When a specially crafted netlink message is processed, the function fails to properly verify buffer boundaries before writing GENEVE option data, resulting in an out-of-bounds write condition. This type of memory corruption vulnerability (CWE-787) is particularly dangerous in kernel space as it can corrupt critical kernel data structures.
Successful exploitation requires local access and the ability to configure network traffic control rules, typically requiring CAP_NET_ADMIN capability. However, in containerized environments or systems with relaxed privilege configurations, this requirement may be more easily satisfied.
Root Cause
The vulnerability stems from improper input validation in the fl_set_geneve_opt function. When parsing GENEVE encapsulation options from netlink attributes, the code does not adequately validate the length of option data before copying it into a fixed-size buffer. This allows an attacker to specify option data that exceeds the expected buffer size, causing memory corruption beyond the allocated region.
The fix implemented in kernel commit 4d56304e5827c8cc8cc18c75343d283af7c4825c adds proper bounds checking to ensure that GENEVE option data cannot exceed the allocated buffer size, preventing the out-of-bounds write condition.
Attack Vector
The attack requires local access to the system with the ability to send netlink messages to the kernel's traffic control subsystem. An attacker would craft a malicious netlink message containing specially constructed TCA_FLOWER_KEY_ENC_OPTS_GENEVE attributes designed to trigger the out-of-bounds write.
The exploitation mechanism involves sending crafted TC flower classifier configuration requests through the netlink interface. When the kernel processes these requests, the vulnerable fl_set_geneve_opt function writes beyond allocated memory boundaries, potentially corrupting adjacent kernel memory structures.
Depending on the memory layout and the attacker's ability to control the written data, exploitation could result in kernel panic (denial of service) or more sophisticated attacks involving privilege escalation through corrupting security-sensitive kernel data structures.
Detection Methods for CVE-2023-35788
Indicators of Compromise
- Unexpected kernel panics or system crashes, particularly when TC flower classifier rules are being configured
- Kernel log messages indicating memory corruption or invalid memory access in the cls_flower module
- Unusual netlink traffic patterns related to traffic control rule configuration
- Evidence of privilege escalation from unprivileged accounts to root
Detection Strategies
- Monitor kernel logs for out-of-bounds access warnings or memory corruption indicators in the networking subsystem
- Implement syscall auditing for RTM_NEWTFILTER netlink messages with TC flower classifier actions
- Deploy kernel-level integrity monitoring to detect unexpected modifications to kernel memory regions
- Use security tools capable of detecting exploitation attempts targeting the traffic control subsystem
Monitoring Recommendations
- Enable kernel auditing for network namespace and traffic control operations
- Configure alerting on kernel panic events, especially those originating from networking code paths
- Monitor for processes attempting to configure TC flower rules with GENEVE encapsulation options
- Implement runtime kernel exploit detection mechanisms to identify memory corruption attacks
How to Mitigate CVE-2023-35788
Immediate Actions Required
- Update the Linux kernel to version 6.3.7 or later on all affected systems
- Apply vendor-specific security patches from Debian, Ubuntu, or your distribution maintainer
- Review and restrict access to the CAP_NET_ADMIN capability to minimize the attack surface
- Consider temporarily disabling the cls_flower module if not required for production operations
Patch Information
The vulnerability was addressed in Linux kernel version 6.3.7. The specific fix is available in commit 4d56304e5827c8cc8cc18c75343d283af7c4825c, which adds proper bounds validation in the fl_set_geneve_opt function. Major Linux distributions have released security updates incorporating this fix:
- Linux Kernel ChangeLog 6.3.7
- Debian Security Advisory DSA-5448
- Debian Security Advisory DSA-5480
- NetApp Security Advisory NTAP-20230714-0002
Workarounds
- Restrict access to the CAP_NET_ADMIN capability by auditing and limiting which users and processes can configure network traffic control
- Use kernel module blacklisting to prevent loading of cls_flower if the flower classifier is not required in your environment
- Implement network namespace isolation to contain potential exploitation attempts within restricted environments
- Deploy mandatory access control policies (SELinux/AppArmor) to limit netlink socket operations
# Temporarily blacklist the cls_flower module if not needed
echo "blacklist cls_flower" >> /etc/modprobe.d/blacklist-cls_flower.conf
modprobe -r cls_flower
# Verify kernel version after update
uname -r
# Should show 6.3.7 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
