CVE-2024-26826

mptcp: fix data re-injection from stale subflow

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix data re-injection from stale subflow

When the MPTCP PM detects that a subflow is stale, all the packet
scheduler must re-inject all the mptcp-level unacked data. To avoid
acquiring unneeded locks, it first try to check if any unacked data
is present at all in the RTX queue, but such check is currently
broken, as it uses TCP-specific helper on an MPTCP socket.

Funnily enough fuzzers and static checkers are happy, as the accessed
memory still belongs to the mptcp_sock struct, and even from a
functional perspective the recovery completed successfully, as
the short-cut test always failed.

A recent unrelated TCP change - commit d5fed5addb2b ("tcp: reorganize
tcp_sock fast path variables") - exposed the issue, as the tcp field
reorganization makes the mptcp code always skip the re-inection.

Fix the issue dropping the bogus call: we are on a slow path, the early
optimization proved once again to be evil.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mptcp: corrige la reinyección de datos desde un subflujo obsoleto Cuando MPTCP PM detecta que un subflujo está obsoleto, todo el programador de paquetes debe reinyectar todos los datos no codificados del nivel mptcp. Para evitar adquirir bloqueos innecesarios, primero intenta verificar si hay datos no bloqueados presentes en la cola RTX, pero dicha verificación actualmente no funciona, ya que utiliza un asistente específico de TCP en un socket MPTCP. Curiosamente, los fuzzers y los comprobadores estáticos están contentos, ya que la memoria a la que se accede todavía pertenece a la estructura mptcp_sock, e incluso desde una perspectiva funcional la recuperación se completó con éxito, ya que la prueba de acceso directo siempre fallaba. Un cambio reciente de TCP no relacionado (commit d5fed5addb2b ("tcp: reorganizar las variables de ruta rápida de tcp_sock")) expuso el problema, ya que la reorganización del campo tcp hace que el código mptcp siempre omita la reinección. Solucione el problema eliminando la llamada falsa: estamos en un camino lento, la optimización inicial demostró una vez más ser mala.

A flaw was found in the Linux kernel. A logical error in the Multipath TCP packet manager causes some packets intended for retransmission to be lost, resulting in a potential denial of service.

*Credits: N/A

CVSS Scores

Red Hatv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-17 CVE Published
2024-04-18 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/1e1d9d6f119c55c05e8ea78ed3e49046690abffd	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/6f95120f898b40d13fd441225ef511307853c9c2	2024-02-23
https://git.kernel.org/stable/c/6673d9f1c2cd984390550dbdf7d5ae07b20abbf8	2024-02-23
https://git.kernel.org/stable/c/b609c783c535493aa3fca22c7e40a120370b1ca5	2024-02-23
https://git.kernel.org/stable/c/624902eab7abcb8731b333ec73f206d38d839cd8	2024-02-23
https://git.kernel.org/stable/c/b6c620dc43ccb4e802894e54b651cf81495e9598	2024-02-01

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-26826	2024-09-24
https://bugzilla.redhat.com/show_bug.cgi?id=2275604	2024-09-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 5.15.149 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.15.149"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.1.79 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.1.79"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.6.18 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.6.18"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.7.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.7.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.8"		en		Affected