Linux Kernel’s IPv6 Implementation Flaw Let Attackers Execute Arbitrary Code

With a CVSS score of 7.5, a high-severity IPv6 implementation issue in the Linux kernel identified as CVE-2023-6200 allowed attackers to execute arbitrary code execution.

Due to this vulnerability, an attacker from an adjacent network may be able to transmit an ICMPv6 router advertisement packet, which is a crucial part of the IPv6 protocol.

“A race condition was found in the Linux Kernel. Under certain conditions, an unauthenticated attacker from an adjacent network could send an ICMPv6 router advertisement packet, causing arbitrary code execution”, reads the advisory from RedHat.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Specifics of the Linux Kernel’s IPv6 Implementation Flaw

While data is transferred between nodes via the Internet protocol (IP), other tasks such as error reporting, router discovery, diagnostics, and others must also be completed for IP to work reliably. The Internet Control Message Protocol (ICMPv6) handles all of these functions in IPv6.

ICMPv6 offers a framework for Multicast Listener Discovery (MLD) and Neighbor Discovery (ND), which handle the functions of communicating multicast group membership information (the equivalent of the IGMP protocol in IPv4) and resolving addresses (done by ARP in IPv4).

“To trigger this issue, the attacker must be on the local network, IPV6, and the parameter net.ipv6.conf must be enabled.[NIC].accept_ra enabled”, reads the advisory.

For Red Hat Enterprise Linux, net.ipv6.conf.[NIC].accept_ra is disabled by default. Only local attacks are feasible in the configuration that is set by default.

Mitigation

The local network is the only place where a remote attack might be possible. If param net.ipv6.conf.[NIC].accept_ra is disabled, then it is not possible.

Check this param value with the following command:

  • cat /proc/sys/net/ipv6/conf/default/accept_ra
  • or /proc/sys/net/ipv6/conf/eth0/accept_ra

(where eth0 is the name of the networking interface).

IPV6 is deactivated if you cannot execute this or if a similar command and parameter accept_ra are unavailable.

Complete IPV6 disabling is achieved if it is not being utilized, and instructions for doing so are available.

Fixes Released

This vulnerability is fixed by upgrading to kernel 6.7-rc7. Therefore, users are advised to update to the most recent version.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.