CVE-2024-27394 - Linux Kernel TCP Vulnerability: Use-After-Free in tcp_ao_connect_init Resolved

A recently discovered vulnerability in the Linux kernel, specifically in the tcp_ao_connect_init function, has been the source of potential security risks that could be exploited by threat actors. This vulnerability, designated as CVE-2024-27394, has been resolved by Linux kernel developers and the patch is now available for deployment.

Vulnerability Details

The main issue in this case is a Use-After-Free vulnerability in the tcp_ao_connect_init function that arises due to the call_rcu function not being a part of the RCU (Read Copy Update) read critical section. As a result, the RCU grace period can elapse during the hlist_for_each_entry_rcu traversal, rendering the key free.

The solution is to replace the hlist_for_each_entry_rcu with hlist_for_each_entry_safe, which ensures the list is safely traversed and the key remains protected.

The affected code block can be seen below

hlist_for_each_entry_rcu(key, &ao->list, node)

The recommended changes to the code block, as per the patch, are

hlist_for_each_entry_safe(key, node, &ao->list, node)

By replacing the hlist_for_each_entry_rcu traversal with hlist_for_each_entry_safe, the vulnerability is effectively mitigated.

Details of the vulnerability and the patch can be found in the following locations

1. Patch for the vulnerability: https://patchwork.kernel.org/project/netdevbpf/patch/20210913124508.1463474-1-davem@davemloft.net/
2. Register of Common Vulnerabilities and Exposures (CVE): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27394

Exploit Details

While no known exploits are taking advantage of this vulnerability at the time of writing, it is crucial for Linux kernel users to apply the patch as soon as possible to protect their systems. This is particularly important for systems running critical infrastructure, as an exploit using this vulnerability could potentially be the starting point for more extensive attacks on underlying system resources.

Conclusion

CVE-2024-27394 is a significant vulnerability in the Linux kernel that has now been resolved through a patch provided by the kernel developers. By replacing the hlist_for_each_entry_rcu traversal with hlist_for_each_entry_safe in the tcp_ao_connect_init function, users can eliminate the risk of a potential Use-After-Free exploit. It is recommended that all affected Linux kernel users apply the patch immediately to ensure their systems remain secure and protected.

Timeline

Published on: 05/14/2024 15:12:27 UTC
Last modified on: 08/02/2024 00:34:52 UTC