Bug 2173435 (CVE-2023-1076) - CVE-2023-1076 kernel: tap: tap_open(): correctly initialize socket uid
Summary: CVE-2023-1076 kernel: tap: tap_open(): correctly initialize socket uid
Keywords:
Status: NEW
Alias: CVE-2023-1076
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2212180 2212181 2212182 2212183 2212184
Blocks: 2172923
TreeView+ depends on / blocked
 
Reported: 2023-02-26 17:20 UTC by Alex
Modified: 2024-04-17 15:50 UTC (History)
41 users (show)

Fixed In Version: kernel 6.1.16
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and get unauthorized access to some resources.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:6835 0 None None None 2023-11-09 07:10:48 UTC
Red Hat Product Errata RHSA-2023:6583 0 None None None 2023-11-07 08:20:12 UTC

Description Alex 2023-02-26 17:20:14 UTC
A flaw found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function.
While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability.
This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters.

References:
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=66b2c338adce580dfce2199591e65e2bab889cff
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=a096ccca6e503a5c575717ff8a36ace27510ab0a

Comment 3 Alex 2023-06-04 14:35:58 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2212180]

Comment 5 Justin M. Forbes 2023-06-05 12:35:19 UTC
This was fixed for Fedora with the 6.1.16 stable kernel updates.

Comment 9 Laszlo Ersek 2023-07-31 16:46:25 UTC
[PATCH 0/2] tun/tap: set sk_uid from current_fsuid()
Message-Id: <20230731164237.48365-1-lersek>
https://lore.kernel.org/all/20230731164237.48365-1-lersek@redhat.com/

Comment 12 errata-xmlrpc 2023-11-07 08:20:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6583 https://access.redhat.com/errata/RHSA-2023:6583


Note You need to log in before you can comment on or make changes to this bug.