How We Found the Vulnerability

While testing our OT security product StationGuard and StationScout, we noticed some unusual system behaviour. Specifically, the system crashed when we sent large data packets, known as Jumbo Frames, to the device. After thorough investigation, we identified the cause: a problem with Intel's IGB driver, a piece of software that is responsible for network communication on many Linux systems.

How This Vulnerability Can Be Exploited

An attacker can exploit this vulnerability (CVE-2023-45871) by sending these large data packets (Jumbo Frames) to the vulnerable device, potentially crashing the entire system within seconds. This doesn't require any special software to be running on the device, making any system using this network driver susceptible. A specific setting (rx-all flag) must be enabled, allowing the system to accept all types of data packets, even corrupted and oversized ones.

What are Jumbo Frames?

Jumbo Frames are larger-than-normal data packets used in network communications. Typically, Ethernet packets are up to 1500 bytes in size, but Jumbo Frames can be up to 9000 bytes. These larger packets are quite common and can improve bandwidth efficiency by sending more data at once.

The Impact

The oversized frames can overflow the memory allocated for the network adapter and spill into the system's main memory. Since the network driver is part of the system's core software (the Kernel), this overflow can cause significant issues, including the possibility of remote code execution. This means an attacker could potentially take control of the entire system.

What to Do Next

We have released updates for StationGuard (version 2.30.0092) and StationScout (version 2.30.0066) to fix this vulnerability. We strongly recommend that all customers update to the latest versions. Intel advises all users of the IGB driver to update their Linux systems to version 6.5.3 to mitigate this issue.

Lessons Learned

This incident shows that even trusted and widely-used software can have hidden vulnerabilities. We recommend that you always investigate unusual system behaviour, as it might reveal new vulnerabilities that haven't been officially recognized yet.
 

For more information about this issue, visit: NVD - CVE-2023-45871 (nist.gov)
 

Special thanks to our colleagues Manfred Rudigier, Thomas Hotz, and Jodok Simma for discovering, reporting, and fixing this vulnerability. This vulnerability was reported to Intel on July 31, 2023, and is fixed in the latest driver version: Linux Kernel Changelog 6.5.3. For further information about the IGB driver, see the Linux Kernel documentation.

Resources

Eric Heindl

Cybersecurity Analyst, OMICRON

Eric Heindl describes himself as an IT guy with a heart for OT cybersecurity. In his role as Cybersecurity Analyst, he analyzes vulnerabilities in OT/IT networks, gives trainings on cybersecurity aspects of web applications and websites, and demonstrates cyber attacks on substations and energy operators.