CVE-2023-52881

CVE Details

Release Date:

2024-05-01

Description

In the Linux kernel, the following vulnerability has been resolved:\ntcp: do not accept ACK of bytes we never sent\nThis patch is based on a detailed report and ideas from Yepeng Pan\nand Christian Rossow.\nACK seq validation is currently following RFC 5961 5.2 guidelines:\nThe ACK value is considered acceptable only if\nit is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=\nSND.NXT). All incoming segments whose ACK value doesn't satisfy the\nabove condition MUST be discarded and an ACK sent back. It needs to\nbe noted that RFC 793 on page 72 (fifth check) says: 'If the ACK is a\nduplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK\nacknowledges something not yet sent (SEG.ACK > SND.NXT) then send an\nACK, drop the segment, and return'. The 'ignored' above implies that\nthe processing of the incoming data segment continues, which means\nthe ACK value is treated as acceptable. This mitigation makes the\nACK check more stringent since any ACK < SND.UNA wouldn't be\naccepted, instead only ACKs that are in the range ((SND.UNA -\nMAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.\nThis can be refined for new (and possibly spoofed) flows,\nby not accepting ACK for bytes that were never sent.\nThis greatly improves TCP security at a little cost.\nI added a Fixes: tag to make sure this patch will reach stable trees,\neven if the 'blamed' patch was adhering to the RFC.\ntp->bytes_acked was added in linux-4.2\nFollowing packetdrill test (courtesy of Yepeng Pan) shows\nthe issue at hand:\n0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3\n+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0\n+0 bind(3, ..., ...) = 0\n+0 listen(3, 1024) = 0\n// ---------------- Handshake ------------------- //\n// when window scale is set to 14 the window size can be extended to\n// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet\n// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)\n// ,though this ack number acknowledges some data never\n// sent by the server.\n+0 < S 0:0(0) win 65535 \n+0 > S. 0:0(0) ack 1 <...>\n+0 < . 1:1(0) ack 1 win 65535\n+0 accept(3, ..., ...) = 4\n// For the established connection, we send an ACK packet,\n// the ack packet uses ack number 1 - 1073725300 + 2^32,\n// where 2^32 is used to wrap around.\n// Note: we used 1073725300 instead of 1073725440 to avoid possible\n// edge cases.\n// 1 - 1073725300 + 2^32 = 3221241997\n// Oops, old kernels happily accept this packet.\n+0 < . 1:1001(1000) ack 3221241997 win 65535\n// After the kernel fix the following will be replaced by a challenge ACK,\n// and prior malicious frame would be dropped.\n+0 > . 1:1(0) ack 1001

See more information about CVE-2023-52881 from MITRE CVE dictionary and NIST NVD

CVSS Scoring

NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score:	5.9	CVSS Vector:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector:	Network	Attack Complexity:	High
Privileges Required:	None	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	None
Integrity Impact:	None	Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 6 (kernel-uek)	ELSA-2024-12606	2024-09-02
Oracle Linux version 7 (kernel-uek)	ELSA-2024-12606	2024-09-02
Oracle Linux version 8 (kernel)	ELSA-2024-4211	2024-07-02
Oracle VM version 3 (kernel-uek)	OVMSA-2024-0011	2024-09-03