CVE-2023-52628

netfilter: nftables: exthdr: fix 4-byte stack OOB write

Severity Score

7.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nftables: exthdr: fix 4-byte stack OOB write

If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.

This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.

The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.

Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nftables: exthdr: corrige escritura OOB de pila de 4 bytes Si priv->len es múltiplo de 4, entonces dst[len / 4] puede escribir más allá de la matriz de destino que conduce a la corrupción de la pila. Esta construcción es necesaria para limpiar el resto del registro en caso de que ->len NO sea un múltiplo del tamaño del registro, así que hágalo condicional tal como lo hace nft_payload.c. El error se agregó en el ciclo 4.1 y luego se copió/heredó cuando se agregó la compatibilidad con las opciones tcp/sctp e ip. Error informado por el proyecto Zero Day Initiative (ZDI-CAN-21950, ZDI-CAN-21951, ZDI-CAN-21961).

An out-of-bounds write flaw was found in the Linux kernel’s Netfilter functionality. This flaw allows a local user to crash or potentially escalate their privileges on the system.

This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the nft_exthdr_ipv6_eval function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel.

*Credits: Alex Birnberg

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-06 CVE Reserved
2024-03-28 CVE Published
2024-06-17 EPSS Updated
2024-11-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-787: Out-of-bounds Write

CAPEC

References (11)

URL	Tag	Source
https://git.kernel.org/stable/c/49499c3e6e18b7677a63316f3ff54a16533dc28f	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/28a97c43c9e32f437ebb8d6126f9bb7f3ca9521a	2024-06-16
https://git.kernel.org/stable/c/cf39c4f77a773a547ac2bcf30ecdd303bb0c80cb	2024-07-05
https://git.kernel.org/stable/c/a7d86a77c33ba1c357a7504341172cc1507f0698	2023-10-10
https://git.kernel.org/stable/c/1ad7b189cc1411048434e8595ffcbe7873b71082	2023-09-19
https://git.kernel.org/stable/c/d9ebfc0f21377690837ebbd119e679243e0099cc	2023-09-19
https://git.kernel.org/stable/c/c8f292322ff16b9a2272a67de396c09a50e09dce	2023-09-19
https://git.kernel.org/stable/c/fd94d9dadee58e09b49075240fe83423eb1dcd36	2023-09-06

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-52628	2024-05-28
https://bugzilla.redhat.com/show_bug.cgi?id=2272041	2024-05-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.1 < 4.19.316 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 4.19.316"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.1 < 5.4.279 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.4.279"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.1 < 5.10.198 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.10.198"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.1 < 5.15.132 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.15.132"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.1 < 6.1.54 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.1.54"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.1 < 6.5.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.5.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.1 < 6.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.6"		en		Affected