Mitigation for CVE-2023-0461

Description

There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, a user can install a TLS context (struct tls_context) on a connected TCP socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c

CVE-2023-0461

Status from SUSE: https://www.suse.com/security/cve/CVE-2023-0461.html

Mitigation

While the underlying CVE is being addressed by SUSE, UANs can mitigate this issue by unbonding the CAN (if it is being used), and unloading the TLS kernel module after blocking the kernel from being loaded again.

The following mitigation script will perform the following actions:

  1. Select the first BONDING_SLAVE0 from ifcfg-bond0 if it exists
  2. Replace bond0 in ifcfg-can0 with the BONDING_SLAVE0 interface
  3. Reload interfaces
  4. Add a deny list for the tls module
  5. Unload bonding and tls kernel modules provided mlx5_core is not present
  6. Fail if mlx5_core is detected to highlight that the mitigation failed

Important: This mitigation is intended for UANs that meet the following criteria:

  • The UANs are connected to HPE Aruba network switches (lcap-individual must be set for other switch types to allow for unbonded CAN connections)
  • The UANs use HPE Slingshot HSN NICs and not Mellanox ConnectX-5 HSN NICs.

Procedure

Update the active CFS configuration with the following changes so that Node Personalization applies the change to the UANs:

diff --git a/mitigate-uan-cve-2023-0461.sh b/mitigate-uan-cve-2023-0461.sh
new file mode 100755
index 0000000..1ced634
--- /dev/null
+++ b/mitigate-uan-cve-2023-0461.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# Select the BONDING_SLAVE0 as the unbonded interface and create a new ifcfg file
+if [ -f /etc/sysconfig/network/ifcfg-bond0 ] && grep -q BONDING_SLAVE0 /etc/sysconfig/network/ifcfg-bond0; then
+  ifname=$(grep BONDING_SLAVE0 /etc/sysconfig/network/ifcfg-bond0 | awk -F= '{print $2}' | tr -d \'\")
+  sed -i -e "s/bond0/$ifname/g" /etc/sysconfig/network/ifcfg-can0
+  cat << EOF > /etc/sysconfig/network/ifcfg-$ifname
+STARTMODE='auto'
+BOOTPROTO='static'
+EOF
+  rm /etc/sysconfig/network/ifcfg-bond0
+fi
+
+# Reload interfaces to bring up the unbonded can
+wicked ifreload all
+
+# Create a blacklist file and unload bonding tls
+cat << EOF > /etc/modprobe.d/66-blacklist-tls.conf
+blacklist tls
+install tls /bin/true
+EOF
+
+# This will fail on mellanox systems as mlx5_core depends on tls
+# Failure of this script will in
+if modinfo mlx5_core &> /dev/null; then
+  rmmod bonding tls
+else
+  echo "Can't rmmod tls as mlx5_core depends on it"
+  exit 1
+fi
+
+exit 0
diff --git a/site.yml b/site.yml
index 674ab30..ad166cf 100644
--- a/site.yml
+++ b/site.yml
@@ -92,6 +92,8 @@
         - uan_interfaces
         - uan_ldap
         - uan_hardening
+    - name: Bond interface mitigation
+      script: mitigate-uan-cve-2023-0461.sh

After UAN images are built to address the CVE, remove this mitigation script.