Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

None

Privileges Required

Low

Attack Vector

Local

CVE-2024-36971

Disclosure Date: June 10, 2024 •

CVE-2024-36971 CVSS v3 Base Score: 7.8

Exploited in the Wild

Reported by ccondon-r7
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

net: fix __dst_negative_advice() race

__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.

RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).

Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.

Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three –>negative_advice()
existing methods must perform the sk_dst_reset() themselves.

Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.

Many thanks to Clement Lecigne for tracking this issue.

This old bug became visible after the blamed commit, using UDP sockets.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.8 High

Impact Score:

5.9

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

linux

Products

linux kernel

Exploited in the Wild

Reported by:

ccondon-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2024/08/07/cisa-adds-two-known-exploited-vulnerabilities-catalog)

Reported: August 07, 2024 3:43pm UTC (3 months ago)

References

Canonical

CVE-2024-36971 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36971)

Miscellaneous

https://git.kernel.org/stable/c/92f1655aa2b2294d0b49925f3b875a634bd3b59e

https://git.kernel.org/stable/c/b8af8e6118a6605f0e495a58d591ca94a85a50fc

https://git.kernel.org/stable/c/051c0bde9f0450a2ec3d62a86d2a0d2fad117f13

https://git.kernel.org/stable/c/db0082825037794c5dba9959c9de13ca34cc5e72

https://git.kernel.org/stable/c/2295a7ef5c8c49241bff769e7826ef2582e532a6

https://git.kernel.org/stable/c/eacb8b195579c174a6d3e12a9690b206eb7f28cf

https://git.kernel.org/stable/c/81dd3c82a456b0015461754be7cb2693991421b4

https://git.kernel.org/stable/c/5af198c387128a9d2ddd620b0f0803564a4d4508

https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

Rapid7

Unknown

CVE-2024-36971

Unknown

Unknown

None

Low

Local

CVE-2024-36971

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2024-36971

Unknown

Unknown

None

Low

Local

CVE-2024-36971

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification