CVE-2023-1206: 
Linux Kernel vulnerability analysis and mitigation

A hash collision vulnerability (CVE-2023-1206) was discovered in the IPv6 connection lookup table in the Linux kernel's IPv6 functionality. The vulnerability was reported on March 6, 2023, and affects Linux kernel versions prior to 6.5-rc1. This vulnerability impacts systems that accept IPv6 connections and can be exploited through a new kind of SYN flood attack (CVE, Red Hat Bugzilla).

The vulnerability allows attackers to force hash collisions in the IPv6 connection lookup table, which significantly increases the cost of lookups in the Linux kernel's networking stack. The issue was fixed in kernel version 6.5-rc1 through a patch that addressed the hash collision mechanism. The fix was merged into the net.git with commit ID d11b0df7ddf1831f3e170972f43186dad520bfcc (Red Hat Bugzilla). The vulnerability has a CVSS 3.1 score of 5.7 (Medium) with vector CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NetApp Advisory).

When successfully exploited, this vulnerability can cause a significant increase in CPU usage of servers accepting IPv6 connections, potentially up to 95% utilization. This can result in a denial of service condition, particularly affecting systems that handle IPv6 traffic. The attack is most effective when initiated from either the local network or by an attacker with a high bandwidth connection (CVE).

For systems that cannot immediately update to a patched kernel version, a temporary workaround is to disable IPv6 functionality where possible. Multiple Linux distributions have released security updates to address this vulnerability, including Red Hat Enterprise Linux, Debian, and Ubuntu. For E-Series SANtricity OS Controller Software 11.x, disabling IPv6 is recommended as a workaround (NetApp Advisory).