CVE-2024-57938: Linux Kernel Vulnerability in net/sctp Resolved

A vulnerability in the Linux kernel has been resolved, specifically in the net/sctp subsystem. This vulnerability revolved around an integer overflow issue in the function sctp_association_init(). By default, the max_autoclose value is set to INT_MAX / HZ. However, an attacker could potentially change this value to UINT_MAX, which would trigger an integer overflow in the kernel.

This post aims to provide a breakdown of the vulnerability (CVE-2024-57938), the affected versions of the Linux kernel, the code snippet responsible, and the steps to exploit it. We will also include links to the original references and patches for this vulnerability.

Details of the Vulnerability

The Secure Transport Protocol (SCTP) is a transport layer protocol used in networking. It provides reliable, connection-oriented communication between applications running on different systems. In the Linux kernel, the file net/sctp/socket.c contains the code for handling SCTP associations.

The vulnerability arises in the sctp_association_init() function, used to initialize a new SCTP association. This function contains code that triggers an integer overflow if max_autoclose is set to UINT_MAX. The overflow leads to unspecified consequences, possibly affecting the stability and security of the system.

Here is the specific code snippet that causes the issue

if (asoc->autoclose > ) {
	asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE] = asoc->autoclose * HZ;
	}

Exploit Details

For the exploit to occur, an attacker must first modify the max_autoclose value for SCTP to UINT_MAX. The attacker can do this using a crafted packet or by manipulating a vulnerable network application to modify the SCTP subsystem's value of max_autoclose to trigger the integer overflow.

Furthermore, this vulnerability potentially allows a local unprivileged (non-root) attacker to exploit the system, gain escalated privileges, and impact system stability, leading to a denial of service (DoS).

Original References

1. NVD - CVE-2024-57938
2. Linux kernel source code at github.com

Patches and Fixes

The Linux kernel developers have resolved this vulnerability by adding proper validation checks in the sctp_association_init() function. They have ensured that this function now correctly sets the value of max_autoclose. Users are advised to upgrade their Linux kernel to a version with the patched code.

In conclusion, the CVE-2024-57938 vulnerability in the Linux kernel's net/sctp subsystem could have significant implications on affected systems' security and stability. However, with the release of patches and updates, this issue has been addressed and resolved. Ensure you keep your system up to date to prevent any potential exploitation.

Timeline

Published on: 01/21/2025 12:15:27 UTC
Last modified on: 01/22/2025 23:01:40 UTC