CVE CyberSecurity Database News

CVE-2024-42154: Linux Kernel Vulnerability in tcp_metrics - Validating Source Addr Length

Poster -

The Linux kernel, an essential part of any Linux distribution, is responsible for forming the core of the operating system. As such, vulnerabilities within the kernel can be especially dangerous if exploited. A recent vulnerability, dubbed CVE-2024-42154, affects the tcp_metrics component. This post will provide an overview of the vulnerability, a code snippet showcasing where the issue lies, links to relevant references, and additional details related to the exploitation of this vulnerability.

Background

The tcp_metrics module is a part of the Linux kernel's networking subsystem and is responsible for implementing the TCP Metrics draft. Essentially, tcp_metrics help the network stack gather and store data about the performance of previous connections to improve future connections' performance. However, an oversight in the code has resulted in a vulnerability - the absence of validation for the source address length in IPv4.

The following code snippet is from the net/ipv4/tcp_metrics.c file, which contains the vulnerability

static int tcp_metrics_nl_fill_info(struct sk_buff *skb,
                   const struct tcp_metrics_block *tm,
                   u32 portid, u32 seq, int flags)
{
    struct nlmsghdr *nlh;
    struct nlattr *addr, *info;
    nlh = nlmsg_put(skb, portid, seq, TCP_METRICS_GENL_CMD_NEW, , flags);
    if (!nlh)
        return -EMSGSIZE;

    // ...
    if (tm->tcpm_af == AF_INET) {
        addr = nla_reserve(skb, TCP_METRICS_ATTR_SADDR_IPV4, 4);
        if (!addr) {
            nlmsg_cancel(skb, nlh);
            return -EMSGSIZE;
        }
        memcpy(nla_data(addr), &tm->tcpm_saddr.saddr4, 4);
    } else {
        addr = nla_reserve(skb, TCP_METRICS_ATTR_SADDR_IPV6, 16);
        if (!addr) {
            nlmsg_cancel(skb, nlh);
            return -EMSGSIZE;
        }
        memcpy(nla_data(addr), &tm->tcpm_saddr.saddr6, 16);
    }

    // ...
    return nlmsg_end(skb, nlh);
}

In the above code, when dealing with IPv4 source addresses, there is no check to ensure that the length of the attribute, TCP_METRICS_ATTR_SADDR_IPV4, is at least 4 bytes long. This lack of validation can potentially lead to undefined behavior and even allows an attacker to exploit this vulnerability.

Original References

1. Official Linux Kernel Git Repository: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv4/tcp_metrics.c
2. Full vulnerability report: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42154
3. NVD Details on CVE-2024-42154: https://nvd.nist.gov/vuln/detail/CVE-2024-42154

Exploit Details

Because the IPv4 source address length is not validated, this could potentially lead to undefined behavior and a possible exploit. An attacker may be able to craft malicious messages with incorrect address lengths to achieve unexpected results, such as gaining unauthorized access, causing a crash or denial of service, or enabling privilege escalation. However, the exact details on how to exploit this vulnerability have not been made public to reduce malicious activity.

Conclusion

In summary, CVE-2024-42154 is a vulnerability in the Linux kernel's tcp_metrics module, specifically affecting the validation of IPv4 source address lengths. The code snippet provided demonstrates the lack of length validation, and available references detail the vulnerability report. While details of exploiting the vulnerability have not been released, anyone using the Linux kernel should ensure they are using an updated version with this vulnerability addressed to avoid potential harm.

Timeline

Published on: 07/30/2024 08:15:06 UTC
Last modified on: 08/08/2024 15:02:01 UTC