CVE-2024-36017

rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation

Severity Score

4.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation Each attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a
struct ifla_vf_vlan_info so the size of such attribute needs to be at least
of sizeof(struct ifla_vf_vlan_info) which is 14 bytes.
The current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)
which is less than sizeof(struct ifla_vf_vlan_info) so this validation
is not enough and a too small attribute might be cast to a
struct ifla_vf_vlan_info, this might result in an out of bands
read access when accessing the saved (casted) entry in ivvl.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rtnetlink: Validación correcta del atributo IFLA_VF_VLAN_LIST anidado. Se supone que cada atributo dentro de un IFLA_VF_VLAN_LIST anidado es una estructura ifla_vf_vlan_info, por lo que el tamaño de dicho atributo debe ser al menos de sizeof(struct ifla_vf_vlan_info), que es de 14 bytes. La validación de tamaño actual en do_setvfinfo es contra NLA_HDRLEN (4 bytes), que es menor que sizeof(struct ifla_vf_vlan_info), por lo que esta validación no es suficiente y un atributo demasiado pequeño podría convertirse en una estructura ifla_vf_vlan_info, esto podría resultar en un acceso de lectura fuera de banda al acceder a la entrada guardada (transmitida) en ivvl.

In the Linux kernel, the following vulnerability has been resolved: rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation Each attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a struct ifla_vf_vlan_info so the size of such attribute needs to be at least of sizeof(struct ifla_vf_vlan_info) which is 14 bytes. The current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes) which is less than sizeof(struct ifla_vf_vlan_info) so this validation is not enough and a too small attribute might be cast to a struct ifla_vf_vlan_info, this might result in an out of bands read access when accessing the saved (casted) entry in ivvl.

Benedict SchlÃ¼ter, Supraja Sridhara, Andrin Bertschi, and Shweta Shinde discovered that an untrusted hypervisor could inject malicious #VC interrupts and compromise the security guarantees of AMD SEV-SNP. This flaw is known as WeSee. A local attacker in control of the hypervisor could use this to expose sensitive information or possibly execute arbitrary code in the trusted execution environment. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-30 CVE Published
2024-12-19 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (13)

URL	Tag	Source
https://git.kernel.org/stable/c/79aab093a0b5370d7fc4e99df75996f4744dc03f	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/8ac69ff2d0d5be9734c4402de932aa3dc8549c1a	2024-05-17
https://git.kernel.org/stable/c/5e7ef2d88666a0212db8c38e6703864b9ce70169	2024-05-17
https://git.kernel.org/stable/c/6c8f44b02500c7d14b5e6618fe4ef9a0da47b3de	2024-05-17
https://git.kernel.org/stable/c/f3c1bf3054f96ddeab0621d920445bada769b40e	2024-05-17
https://git.kernel.org/stable/c/6e4c7193954f4faab92f6e8d88bc5565317b44e7	2024-05-17
https://git.kernel.org/stable/c/206003c748b88890a910ef7142d18f77be57550b	2024-05-17
https://git.kernel.org/stable/c/4a4b9757789a1551d2df130df23bfb3545bfa7e8	2024-05-17
https://git.kernel.org/stable/c/1aec77b2bb2ed1db0f5efc61c4c1ca3813307489	2024-05-03

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-36017	2024-09-03
https://bugzilla.redhat.com/show_bug.cgi?id=2284417	2024-09-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 4.19.314 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 4.19.314"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 5.4.276 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 5.4.276"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 5.10.217 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 5.10.217"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 5.15.159 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 5.15.159"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 6.1.91 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 6.1.91"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 6.6.31 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 6.6.31"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 6.8.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 6.8.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 6.9"		en		Affected