CVE-2019-10638

Kernel: net: weak IP ID generation leads to remote device tracking

Severity Score

6.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses.

En el kernel de Linux anterior a versión 5.1.7, un atacante puede rastrear un dispositivo utilizando los valores ID de IP que el kernel produce para los protocolos sin conexión (por ejemplo, UDP e ICMP). Cuando dicho tráfico se envía a múltiples direcciones IP de destino, es posible obtener colisiones de hash (de índices en la matriz counter) y, de este modo, obtener la clave de hashing (mediante enumeración). Puede ser conducido un ataque mediante el alojamiento de una página web especialmente diseñada que utiliza WebRTC o gQUIC para forzar el tráfico UDP a las direcciones IP controladas por el atacante.

A flaw was found in the way the Linux kernel derived the IP ID field from a partial kernel space address returned by a net_hash_mix() function. A remote user could observe a weak IP ID generation in this field to track Linux devices.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-03-29 CVE Reserved
2019-07-05 CVE Published
2024-06-28 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-326: Inadequate Encryption Strength

CAPEC

References (30)

URL	Tag	Source
http://packetstormsecurity.com/files/155212/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html	X_refsource_misc
http://www.securityfocus.com/bid/109092	Third Party Advisory
https://arxiv.org/pdf/1906.10478.pdf	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00016.html	Mailing List
https://lists.debian.org/debian-lts-announce/2019/08/msg00017.html	Mailing List
https://seclists.org/bugtraq/2019/Aug/13	Mailing List
https://seclists.org/bugtraq/2019/Aug/18	Mailing List
https://seclists.org/bugtraq/2019/Nov/11	Mailing List
https://security.netapp.com/advisory/ntap-20190806-0001	X_refsource_confirm
https://www.oracle.com/security-alerts/cpuApr2021.html	X_refsource_misc

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=355b98553789b646ed97ad801a619ff898471b92	2021-06-14
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=df453700e8d81b1bdafdf684365ee2b9431fb702	2021-06-14
https://github.com/torvalds/linux/commit/355b98553789b646ed97ad801a619ff898471b92	2021-06-14
https://github.com/torvalds/linux/commit/55f0fc7a02de8f12757f4937143d8d5091b2e40b	2021-06-14
https://github.com/torvalds/linux/commit/df453700e8d81b1bdafdf684365ee2b9431fb702	2021-06-14

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00014.html	2021-06-14
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00025.html	2021-06-14
https://access.redhat.com/errata/RHSA-2019:3309	2021-06-14
https://access.redhat.com/errata/RHSA-2019:3517	2021-06-14
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.8	2021-06-14
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.1.7	2021-06-14
https://usn.ubuntu.com/4114-1	2021-06-14
https://usn.ubuntu.com/4115-1	2021-06-14
https://usn.ubuntu.com/4116-1	2021-06-14
https://usn.ubuntu.com/4117-1	2021-06-14
https://usn.ubuntu.com/4118-1	2021-06-14
https://www.debian.org/security/2019/dsa-4495	2021-06-14
https://www.debian.org/security/2019/dsa-4497	2021-06-14
https://access.redhat.com/security/cve/CVE-2019-10638	2020-03-31
https://bugzilla.redhat.com/show_bug.cgi?id=1729931	2020-03-31

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.1.7 Search vendor "Linux" for product "Linux Kernel" and version " < 5.1.7"		-		Affected