CVE-2024-26752

l2tp: pass correct message length to ip6_append_data

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

l2tp: pass correct message length to ip6_append_data

l2tp_ip6_sendmsg needs to avoid accounting for the transport header
twice when splicing more data into an already partially-occupied skbuff.

To manage this, we check whether the skbuff contains data using
skb_queue_empty when deciding how much data to append using
ip6_append_data.

However, the code which performed the calculation was incorrect:

ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;

...due to C operator precedence, this ends up setting ulen to
transhdrlen for messages with a non-zero length, which results in
corrupted packets on the wire.

Add parentheses to correct the calculation in line with the original
intent.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: l2tp: pasa la longitud correcta del mensaje a ip6_append_data l2tp_ip6_sendmsg necesita evitar tener en cuenta el encabezado de transporte dos veces al unir más datos en un skbuff ya parcialmente ocupado. Para gestionar esto, verificamos si skbuff contiene datos usando skb_queue_empty al decidir cuántos datos agregar usando ip6_append_data. Sin embargo, el código que realizó el cálculo era incorrecto: ulen = len + skb_queue_empty(&sk->sk_write_queue)? transhdrlen : 0; ...debido a la precedencia del operador C, esto termina configurando ulen en transhdrlen para mensajes con una longitud distinta de cero, lo que resulta en paquetes corruptos en el cable. Agregue paréntesis para corregir el cálculo de acuerdo con la intención original.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-03 CVE Published
2024-04-04 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (18)

URL	Tag	Source
https://git.kernel.org/stable/c/559d697c5d072593d22b3e0bd8b8081108aeaf59	Vuln. Introduced
https://git.kernel.org/stable/c/1fc793d68d50dee4782ef2e808913d5dd880bcc6	Vuln. Introduced
https://git.kernel.org/stable/c/96b2e1090397217839fcd6c9b6d8f5d439e705ed	Vuln. Introduced
https://git.kernel.org/stable/c/cd1189956393bf850b2e275e37411855d3bd86bb	Vuln. Introduced
https://git.kernel.org/stable/c/f6a7182179c0ed788e3755ee2ed18c888ddcc33f	Vuln. Introduced
https://git.kernel.org/stable/c/9d4c75800f61e5d75c1659ba201b6c0c7ead3070	Vuln. Introduced
https://git.kernel.org/stable/c/7626b9fed53092aa2147978070e610ecb61af844	Vuln. Introduced
https://git.kernel.org/stable/c/fe80658c08e3001c80c5533cd41abfbb0e0e28fd	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae	2024-03-01
https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5	2024-03-01
https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243	2024-03-01
https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d	2024-03-01
https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500	2024-03-01
https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56	2024-03-01
https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6	2024-03-01
https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79	2024-02-22

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19.296 < 4.19.308 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19.296 < 4.19.308"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4.258 < 5.4.270 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.258 < 5.4.270"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.198 < 5.10.211 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.198 < 5.10.211"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.135 < 5.15.150 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.135 < 5.15.150"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.57 < 6.1.80 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.57 < 6.1.80"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.6.19 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.6.19"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.7.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.7.7"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.14.327 Search vendor "Linux" for product "Linux Kernel" and version "4.14.327"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.5.7 Search vendor "Linux" for product "Linux Kernel" and version "6.5.7"		en		Affected