// For flags

CVE-2024-35839

netfilter: bridge: replace physindev with physinif in nf_bridge_info

Severity Score

5.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

netfilter: bridge: replace physindev with physinif in nf_bridge_info

An skb can be added to a neigh->arp_queue while waiting for an arp
reply. Where original skb's skb->dev can be different to neigh's
neigh->dev. For instance in case of bridging dnated skb from one veth to
another, the skb would be added to a neigh->arp_queue of the bridge.

As skb->dev can be reset back to nf_bridge->physindev and used, and as
there is no explicit mechanism that prevents this physindev from been
freed under us (for instance neigh_flush_dev doesn't cleanup skbs from
different device's neigh queue) we can crash on e.g. this stack:

arp_process
neigh_update
skb = __skb_dequeue(&neigh->arp_queue)
neigh_resolve_output(..., skb)
...
br_nf_dev_xmit
br_nf_pre_routing_finish_bridge_slow
skb->dev = nf_bridge->physindev
br_handle_frame_finish

Let's use plain ifindex instead of net_device link. To peek into the
original net_device we will use dev_get_by_index_rcu(). Thus either we
get device and are safe to use it or we don't get it and drop skb.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: bridge: reemplace physindev con physinif en nf_bridge_info. Se puede agregar un skb a neigh->arp_queue mientras se espera una respuesta de arp. Donde skb->dev del skb original puede ser diferente al neigh->dev de neigh. Por ejemplo, en el caso de unir un skb designado de un veth a otro, el skb se agregarĂ­a a un vecino->arp_queue del puente. Como skb->dev se puede restablecer a nf_bridge->physindev y usarse, y como no existe un mecanismo explĂ­cito que impida que este physindev se libere bajo nuestra responsabilidad (por ejemplo, neigh_flush_dev no limpia skbs de la cola vecina de diferentes dispositivos), podemos crashear, por ejemplo, en esta pila: arp_process neigh_update skb = __skb_dequeue(&neigh->arp_queue) neigh_resolve_output(..., skb) ... br_nf_dev_xmit br_nf_pre_routing_finish_bridge_slow skb->dev = nf_bridge->physindev br_handle_frame_finish Usemos ifindex simple en lugar de enlace net_device. Para echar un vistazo al net_device original usaremos dev_get_by_index_rcu(). Por lo tanto, o obtenemos el dispositivo y podemos usarlo con seguridad o no lo obtenemos y eliminamos skb.

CVE-2024-35839 is a flaw in the Linux kernel's Netfilter bridge functionality. It occurs when bridging certain packets, such as those involving destination NAT between virtual Ethernet interfaces. A mismatch between the network device associated with a packet and the neighbor's device can lead to incorrect handling, including references to freed memory. This issue could cause system crashes. The problem has been fixed by using safer methods to retrieve the network device during packet processing. Users should update their kernels to a patched version to avoid this vulnerability.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-05-17 CVE Reserved
  • 2024-05-17 CVE Published
  • 2024-05-18 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.2 < 6.1.75
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.1.75"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.2 < 6.6.14
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.6.14"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.2 < 6.7.2
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.7.2"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.2 < 6.8
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.8"
en
Affected