Linux Kernel OpenVPN Module Use-After-Free Vulnerability in Packet Transmission

A use-after-free vulnerability has been identified in the OpenVPN implementation within the Linux kernel. This issue arises in the 'ovpn_net_xmit' function, where the 'skb_share_check' can free the original socket buffer (skb) if it is shared. The vulnerability occurs because the function continues to use a stale skb pointer for critical operations such as peer lookup, dropping the skb's destination, and updating peer statistics. The flaw can be exploited by manipulating the transmission of packets, potentially leading to undefined behavior or memory corruption.

Impact

Exploitation of this vulnerability can cause a use-after-free condition, which may lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending packets through an OpenVPN connection that trigger the 'skb_share_check' to free the original socket buffer while it is still needed for peer lookup and other operations. This can be done by creating a scenario where the socket buffer is shared and then processed in a way that the 'ovpn_net_xmit' function relies on the now-freed buffer.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit addressing this issue is available in the Linux kernel stable tree.