CVE-2023-52628
netfilter: nftables: exthdr: fix 4-byte stack OOB write
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nftables: exthdr: fix 4-byte stack OOB write
If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.
This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.
The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.
Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nftables: exthdr: corrige escritura OOB de pila de 4 bytes Si priv->len es múltiplo de 4, entonces dst[len / 4] puede escribir más allá de la matriz de destino que conduce a la corrupción de la pila. Esta construcción es necesaria para limpiar el resto del registro en caso de que ->len NO sea un múltiplo del tamaño del registro, así que hágalo condicional tal como lo hace nft_payload.c. El error se agregó en el ciclo 4.1 y luego se copió/heredó cuando se agregó la compatibilidad con las opciones tcp/sctp e ip. Error informado por el proyecto Zero Day Initiative (ZDI-CAN-21950, ZDI-CAN-21951, ZDI-CAN-21961).
An out-of-bounds write flaw was found in the Linux kernel’s Netfilter functionality. This flaw allows a local user to crash or potentially escalate their privileges on the system.
This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the nft_exthdr_ipv6_eval function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-03-06 CVE Reserved
- 2024-03-28 CVE Published
- 2024-06-17 EPSS Updated
- 2024-12-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-787: Out-of-bounds Write
CAPEC
References (11)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/49499c3e6e18b7677a63316f3ff54a16533dc28f | Vuln. Introduced | |
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2023-52628 | 2024-05-28 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2272041 | 2024-05-28 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 4.19.316 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 4.19.316" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 5.4.279 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.4.279" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 5.10.198 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.10.198" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 5.15.132 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.15.132" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 6.1.54 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.1.54" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 6.5.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.5.4" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 6.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.6" | en |
Affected
|