Linux Kernel Netfilter Inner IPv6 Header Desynchronization Vulnerability Allows Transport Header Forgery

A vulnerability in the Linux kernel's netfilter component has been identified, specifically within the inner packet processing of IPv6. When the function 'nft_inner_parse_l2l3()' handles inner IPv6 packets, it correctly calculates the transport header offset by traversing all extension headers. However, this accurate offset is then incorrectly overwritten, leading to a desynchronization between the inner header offset and the layer 4 protocol indicator. This flaw enables transport header forgery and could potentially bypass firewall rules. The vulnerability affects several stable versions of the Linux kernel starting from 6.2.

Impact

Exploitation of this vulnerability could lead to unauthorized modification of transport headers in IPv6 packets, allowing for the creation of deceptive packet payloads that could bypass firewall protections.

Reproduction

To reproduce this vulnerability, create a scenario where inner IPv6 packets are processed by the netfilter component of the Linux kernel. The 'nft_inner_parse_l2l3()' function will incorrectly overwrite the transport header offset, causing a desynchronization that can be exploited to forge transport headers and bypass firewall rules.

Remediation

Users can upgrade to the latest stable version of the Linux kernel to address this vulnerability.