CVE-2021-46912

net: Make tcp_allowed_congestion_control readonly in non-init netns

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

net: Make tcp_allowed_congestion_control readonly in non-init netns

Currently, tcp_allowed_congestion_control is global and writable;
writing to it in any net namespace will leak into all other net
namespaces.

tcp_available_congestion_control and tcp_allowed_congestion_control are
the only sysctls in ipv4_net_table (the per-netns sysctl table) with a
NULL data pointer; their handlers (proc_tcp_available_congestion_control
and proc_allowed_congestion_control) have no other way of referencing a
struct net. Thus, they operate globally.

Because ipv4_net_table does not use designated initializers, there is no
easy way to fix up this one "bad" table entry. However, the data pointer
updating logic shouldn't be applied to NULL pointers anyway, so we
instead force these entries to be read-only.

These sysctls used to exist in ipv4_table (init-net only), but they were
moved to the per-net ipv4_net_table, presumably without realizing that
tcp_allowed_congestion_control was writable and thus introduced a leak.

Because the intent of that commit was only to know (i.e. read) "which
congestion algorithms are available or allowed", this read-only solution
should be sufficient.

The logic added in recent commit
31c4d2f160eb: ("net: Ensure net namespace isolation of sysctls")
does not and cannot check for NULL data pointers, because
other table entries (e.g. /proc/sys/net/netfilter/nf_log/) have
.data=NULL but use other methods (.extra2) to access the struct net.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: hacer que tcp_allowed_congestion_control sea de solo lectura en redes no init. Actualmente, tcp_allowed_congestion_control es global y se puede escribir; escribir en él en cualquier espacio de nombres de red se filtrará a todos los demás espacios de nombres de red. tcp_available_congestion_control y tcp_allowed_congestion_control son los únicos sysctls en ipv4_net_table (la tabla sysctl por red) con un puntero de datos NULL; sus controladores (proc_tcp_available_congestion_control y proc_allowed_congestion_control) no tienen otra forma de hacer referencia a una estructura neta. Por lo tanto, operan globalmente. Debido a que ipv4_net_table no utiliza inicializadores designados, no existe una manera fácil de corregir esta entrada "mala" de la tabla. Sin embargo, la lógica de actualización del puntero de datos no debería aplicarse a los punteros NULL de todos modos, por lo que forzamos que estas entradas sean de solo lectura. Estos sysctls solían existir en ipv4_table (solo init-net), pero se movieron a ipv4_net_table por red, presumiblemente sin darse cuenta de que tcp_allowed_congestion_control se podía escribir y, por lo tanto, introdujeron una fuga. Debido a que la intención de esa confirmación era sólo saber (es decir, leer) "qué algoritmos de congestión están disponibles o permitidos", esta solución de solo lectura debería ser suficiente. La lógica agregada en la reciente confirmación 31c4d2f160eb: ("net: Garantizar el aislamiento del espacio de nombres de red de sysctls") no verifica ni puede verificar los punteros de datos NULL, porque otras entradas de la tabla (por ejemplo, /proc/sys/net/netfilter/nf_log/) tienen .data=NULL pero usa otros métodos (.extra2) para acceder a la estructura neta.

*Credits: N/A

CVSS Scores

NISTv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-25 CVE Reserved
2024-02-27 CVE Published
2024-04-21 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-476: NULL Pointer Dereference

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/9cb8e048e5d93825ec5e8dfb5b8df4987ea25745	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/35d7491e2f77ce480097cabcaf93ed409e916e12	2021-04-21
https://git.kernel.org/stable/c/1ccdf1bed140820240e383ba0accc474ffc7f006	2021-04-21
https://git.kernel.org/stable/c/97684f0970f6e112926de631fdd98d9693c7e5c1	2021-04-13

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.10.32 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.10.32"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.11.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.11.16"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.12"		en		Affected