CVE-2023-42755 Overview
A flaw was found in the IPv4 Resource Reservation Protocol (RSVP) classifier in the Linux kernel. The xprt pointer may go beyond the linear part of the skb (socket buffer), leading to an out-of-bounds read in the rsvp_classify function. This issue may allow a local user to crash the system and cause a denial of service.
Critical Impact
Local attackers with low privileges can exploit this vulnerability to crash the Linux kernel, causing system-wide denial of service affecting all running services and applications.
Affected Products
- Linux Linux Kernel
- Red Hat Enterprise Linux 8.0
- Debian Linux 10.0
Discovery Timeline
- 2023-10-05 - CVE CVE-2023-42755 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-42755
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-Bounds Read) and resides within the IPv4 RSVP traffic classifier component of the Linux kernel. The flaw occurs when processing network packets through the RSVP classifier, where the xprt pointer can be manipulated to reference memory outside the intended bounds of the socket buffer's linear data region.
The vulnerability requires local access to exploit, meaning an attacker must already have some level of access to the target system. While the attack complexity is low and no user interaction is required, the impact is limited to availability—there is no confidentiality or integrity impact. The exploitation results in a kernel crash, effectively denying service to all users and applications on the affected system until it is restarted.
Root Cause
The root cause lies in insufficient bounds checking within the rsvp_classify function. When the RSVP classifier processes incoming network packets, it accesses transport layer header information through the xprt pointer. However, the code fails to properly validate that this pointer remains within the linear portion of the socket buffer (skb) structure. Socket buffers in the Linux kernel can store packet data in both linear and non-linear (fragmented) regions. When the xprt pointer exceeds the linear boundary without proper validation, the function reads from unintended memory locations, triggering the out-of-bounds read condition.
Attack Vector
The attack vector is local, requiring an authenticated user with low privileges on the target system. An attacker can craft or trigger specific network traffic conditions that cause the RSVP classifier to process malformed or specially constructed packets. When these packets are processed, the vulnerable code path is exercised, causing the xprt pointer to exceed the valid memory bounds and resulting in a kernel panic or crash.
The vulnerability affects systems where the RSVP traffic classifier is loaded and active. Since RSVP is primarily used for Quality of Service (QoS) traffic management in network environments, systems utilizing traffic classification for bandwidth reservation are particularly at risk.
Detection Methods for CVE-2023-42755
Indicators of Compromise
- Unexpected kernel panics or system crashes with stack traces referencing rsvp_classify or related RSVP classifier functions
- Kernel oops messages in system logs (/var/log/kern.log or dmesg) mentioning out-of-bounds access in network classifier code
- Repeated system reboots without clear cause on systems using RSVP traffic classification
Detection Strategies
- Monitor kernel logs for panic messages containing references to net/sched/cls_rsvp.c or the rsvp_classify function
- Deploy SentinelOne agents to detect anomalous kernel behavior and crash patterns indicative of exploitation attempts
- Implement kernel audit rules to track loading and usage of the cls_rsvp network classifier module
Monitoring Recommendations
- Enable kernel crash dump collection to capture detailed diagnostic information for post-incident analysis
- Configure centralized logging to aggregate kernel messages from all Linux systems for pattern detection across the environment
- Use SentinelOne's Vigilance service for 24/7 monitoring of kernel-level anomalies and potential exploitation indicators
How to Mitigate CVE-2023-42755
Immediate Actions Required
- Apply the latest kernel security updates from your Linux distribution vendor immediately
- If patching is not immediately possible, consider unloading the cls_rsvp kernel module if RSVP traffic classification is not required: modprobe -r cls_rsvp
- Review systems for any signs of exploitation by checking kernel logs for related crash messages
- Prioritize patching systems that actively use RSVP-based QoS traffic management
Patch Information
Security patches addressing this vulnerability have been released by major Linux distributions. Red Hat has published advisories RHSA-2024:2950 and RHSA-2024:3138 for affected Enterprise Linux versions. Debian has released updates documented in their LTS announcements. Additional technical details are available in the Red Hat Bugzilla report and the OSS-Sec mailing list discussion.
Workarounds
- Blacklist the cls_rsvp module to prevent it from loading automatically by adding blacklist cls_rsvp to /etc/modprobe.d/blacklist.conf
- Restrict local system access to trusted users only, as exploitation requires local authentication
- Implement defense-in-depth strategies using SentinelOne endpoint protection to detect and prevent kernel exploitation attempts
# Disable RSVP classifier module loading
echo "blacklist cls_rsvp" >> /etc/modprobe.d/blacklist-rsvp.conf
echo "blacklist cls_rsvp6" >> /etc/modprobe.d/blacklist-rsvp.conf
# Unload module if currently loaded (if not in active use)
modprobe -r cls_rsvp 2>/dev/null || true
modprobe -r cls_rsvp6 2>/dev/null || true
# Verify module is not loaded
lsmod | grep rsvp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
