CVE-2024-35962

netfilter: complete validation of user input

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

netfilter: complete validation of user input

In my recent commit, I missed that do_replace() handlers
use copy_from_sockptr() (which I fixed), followed
by unsafe copy_from_sockptr_offset() calls.

In all functions, we can perform the @optlen validation
before even calling xt_alloc_table_info() with the following
check:

if ((u64)optlen < (u64)tmp.size + sizeof(tmp))
return -EINVAL;

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: netfilter: validación completa de la entrada del usuario En mi confirmación reciente, omití que los controladores do_replace() usan copy_from_sockptr() (que arreglé), seguido de llamadas inseguras copy_from_sockptr_offset(). En todas las funciones, podemos realizar la validación @optlen incluso antes de llamar a xt_alloc_table_info() con la siguiente comprobación: if ((u64)optlen < (u64)tmp.size + sizeof(tmp)) return -EINVAL;

In the Linux kernel, the following vulnerability has been resolved: netfilter: complete validation of user input In my recent commit, I missed that do_replace() handlers use copy_from_sockptr() (which I fixed), followed by unsafe copy_from_sockptr_offset() calls. In all functions, we can perform the @optlen validation before even calling xt_alloc_table_info() with the following check: if ((u64)optlen < (u64)tmp.size + sizeof(tmp)) return -EINVAL;

*Credits: N/A

CVSS Scores

Red Hatv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-20 CVE Published
2024-05-21 EPSS Updated
2024-12-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (14)

URL	Tag	Source
https://git.kernel.org/stable/c/0f038242b77ddfc505bf4163d4904c1abd2e74d6	Vuln. Introduced
https://git.kernel.org/stable/c/440e948cf0eff32cfe322dcbca3f2525354b159b	Vuln. Introduced
https://git.kernel.org/stable/c/18aae2cb87e5faa9c5bd865260ceadac60d5a6c5	Vuln. Introduced
https://git.kernel.org/stable/c/81d51b9b7c95e791ba3c1a2dd77920a9d3b3f525	Vuln. Introduced
https://git.kernel.org/stable/c/58f2bfb789e6bd3bc24a2c9c1580f3c67aec3018	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/cf4bc359b76144a3dd55d7c09464ef4c5f2b2b05	2024-05-02
https://git.kernel.org/stable/c/97dab36e57c64106e1c8ebd66cbf0d2d1e52d6b7	2024-04-17
https://git.kernel.org/stable/c/c760089aa98289b4b88a7ff5a62dd92845adf223	2024-04-17
https://git.kernel.org/stable/c/89242d9584c342cb83311b598d9e6b82572eadf8	2024-04-17
https://git.kernel.org/stable/c/562b7245131f6e9f1d280c8b5a8750f03edfc05c	2024-04-17
https://git.kernel.org/stable/c/65acf6e0501ac8880a4f73980d01b5d27648b956	2024-04-11

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-35962	2024-08-28
https://bugzilla.redhat.com/show_bug.cgi?id=2281916	2024-08-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.215 < 5.10.216 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.215 < 5.10.216"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.154 < 5.15.156 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.154 < 5.15.156"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.85 < 6.1.87 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.85 < 6.1.87"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.26 < 6.6.28 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.26 < 6.6.28"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.8.5 < 6.8.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8.5 < 6.8.7"		en		Affected