Release Date: | 2024-05-01 |
In the Linux kernel, the following vulnerability has been resolved:\ntcp: do not accept ACK of bytes we never sent\nThis patch is based on a detailed report and ideas from Yepeng Pan\nand Christian Rossow.\nACK seq validation is currently following RFC 5961 5.2 guidelines:\nThe ACK value is considered acceptable only if\nit is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=\nSND.NXT). All incoming segments whose ACK value doesn't satisfy the\nabove condition MUST be discarded and an ACK sent back. It needs to\nbe noted that RFC 793 on page 72 (fifth check) says: 'If the ACK is a\nduplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK\nacknowledges something not yet sent (SEG.ACK > SND.NXT) then send an\nACK, drop the segment, and return'. The 'ignored' above implies that\nthe processing of the incoming data segment continues, which means\nthe ACK value is treated as acceptable. This mitigation makes the\nACK check more stringent since any ACK < SND.UNA wouldn't be\naccepted, instead only ACKs that are in the range ((SND.UNA -\nMAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.\nThis can be refined for new (and possibly spoofed) flows,\nby not accepting ACK for bytes that were never sent.\nThis greatly improves TCP security at a little cost.\nI added a Fixes: tag to make sure this patch will reach stable trees,\neven if the 'blamed' patch was adhering to the RFC.\ntp->bytes_acked was added in linux-4.2\nFollowing packetdrill test (courtesy of Yepeng Pan) shows\nthe issue at hand:\n0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3\n+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0\n+0 bind(3, ..., ...) = 0\n+0 listen(3, 1024) = 0\n// ---------------- Handshake ------------------- //\n// when window scale is set to 14 the window size can be extended to\n// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet\n// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)\n// ,though this ack number acknowledges some data never\n// sent by the server.\n+0 < S 0:0(0) win 65535
See more information about CVE-2023-52881 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.
Base Score: | 5.9 | CVSS Vector: | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
Attack Vector: | Network | Attack Complexity: | High |
Privileges Required: | None | User Interaction: | None |
Scope: | Unchanged | Confidentiality Impact: | None |
Integrity Impact: | None | Availability Impact: | High |
Platform | Errata | Release Date |
Oracle Linux version 6 (kernel-uek) | ELSA-2024-12606 | 2024-09-02 |
Oracle Linux version 7 (kernel-uek) | ELSA-2024-12606 | 2024-09-02 |
Oracle Linux version 8 (kernel) | ELSA-2024-4211 | 2024-07-02 |
Oracle VM version 3 (kernel-uek) | OVMSA-2024-0011 | 2024-09-03 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections: