Bug 2064604 (CVE-2022-1012)
| Summary: | CVE-2022-1012 kernel: Small table perturb size in the TCP source port generation algorithm can lead to information leak | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Rohit Keshri <rkeshri> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acaringi, adscvr, airlied, alciregi, allarkin, asavkov, bhu, bskeggs, chris.cook, chwhite, crwood, cww, cye, cyin, dbohanno, ddepaula, debarbos, dhoward, dvlasenk, ezulian, fhrbata, gnault, guillier.anthony, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jch, jdenham, jfaracco, jferlan, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jpoimboe, jshortt, jstancek, jthierry, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, kpatch-maint, kwalker, ldoskova, lgoncalv, linville, lzampier, masami256, mchehab, mfalz, michal.skrivanek, mmilgram, mperina, mrehak, mstowell, nmurray, ptalbert, qzhao, rhandlin, rkeshri, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, security-response-team, steved, tglozar, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote, ykopkova, zhijwang |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kernel 5.18-rc6 | Doc Type: | If docs needed, set a value |
| Doc Text: |
The Linux kernel's TCP source port generation algorithm in the TCP stack contains a flaw due to the small table perturb size. This flaw allows an attacker to positively distinguish a system among devices with identical hardware and software, which lasts until the device restarts.
An attacker can guess the evolution of the internal state used for source port generation. This information is used to infer the TCP traffic patterns of the victim, guessing the number of outgoing TCP connections established in a specific time frame, which can lead to a system fingerprinting.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-10-23 19:04:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2064867, 2064868, 2064869, 2064870, 2064871, 2064872, 2064873, 2064874, 2064875, 2064876, 2064877, 2064878, 2064879, 2064880, 2064881, 2064883, 2064884, 2064885, 2064886, 2064887, 2070048, 2070049, 2083483, 2083484, 2083598, 2083599, 2083600, 2083601, 2083602, 2083603, 2083604, 2083605, 2083606, 2083607, 2083608, 2083609, 2083630, 2087128, 2087129, 2087130, 2087131, 2087132 | ||
| Bug Blocks: | 2064600, 2065289, 2096903 | ||
|
Description
Rohit Keshri
2022-03-16 09:08:37 UTC
(In reply to Rohit Keshri from comment #0) > A memory leak problem was found in the TCP source port generation algorithm > in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow > an attacker to information leak and may cause a denial of service problem. > > Reference: > https://kernel.googlesource.com/pub/scm/linux/kernel/git/jkirsher/net-queue/ > +/b2d057560b8107c633b39aabe517ff9d93f285e3%5E%21/ Are the Doc Text and reference misaligned?: The description states that the bug lies within net/ipv4/tcp.c but https://kernel.googlesource.com/pub/scm/linux/kernel/git/jkirsher/net-queue/+/b2d057560b8107c633b39aabe517ff9d93f285e3%5E%21/ contains changes in many kernel source files _other_ than tcp.c. This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:5214 https://access.redhat.com/errata/RHSA-2022:5214 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:5224 https://access.redhat.com/errata/RHSA-2022:5224 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:5220 https://access.redhat.com/errata/RHSA-2022:5220 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:5267 https://access.redhat.com/errata/RHSA-2022:5267 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:5249 https://access.redhat.com/errata/RHSA-2022:5249 (In reply to chris.cook from comment #18) > (In reply to Rohit Keshri from comment #0) > > A memory leak problem was found in the TCP source port generation algorithm > > in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow > > an attacker to information leak and may cause a denial of service problem. > > > > Reference: > > https://kernel.googlesource.com/pub/scm/linux/kernel/git/jkirsher/net-queue/ > > +/b2d057560b8107c633b39aabe517ff9d93f285e3%5E%21/ > > Are the Doc Text and reference misaligned?: The description states that the > bug lies within net/ipv4/tcp.c but > https://kernel.googlesource.com/pub/scm/linux/kernel/git/jkirsher/net-queue/ > +/b2d057560b8107c633b39aabe517ff9d93f285e3%5E%21/ contains changes in many > kernel source files _other_ than tcp.c. I believe this should actually be 4c2c8f03a5ab ("tcp: increase source port perturb table to 2^16"). (In reply to John Haxby from comment #24) > (In reply to chris.cook from comment #18) > > (In reply to Rohit Keshri from comment #0) > > > A memory leak problem was found in the TCP source port generation algorithm > > > in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow > > > an attacker to information leak and may cause a denial of service problem. > > > > > > Reference: > > > https://kernel.googlesource.com/pub/scm/linux/kernel/git/jkirsher/net-queue/ > > > +/b2d057560b8107c633b39aabe517ff9d93f285e3%5E%21/ > > > > Are the Doc Text and reference misaligned?: The description states that the > > bug lies within net/ipv4/tcp.c but > > https://kernel.googlesource.com/pub/scm/linux/kernel/git/jkirsher/net-queue/ > > +/b2d057560b8107c633b39aabe517ff9d93f285e3%5E%21/ contains changes in many > > kernel source files _other_ than tcp.c. I understand the reference to tcp.c can be confusing, as it doesn't need to be modified. The core of the source port selection algorithm is actually implemented by __inet_hash_connect(), in net/ipv4/inet_hashtables.c (but its callers and a few helper functions also need to be modified). The commit cited in the description, that is commit b2d057560b81 ("secure_seq: use the 64 bits of the siphash for port offset calculation"), is just the first patch in the series to backport. > I believe this should actually be 4c2c8f03a5ab ("tcp: increase source port > perturb table to 2^16"). Well, it's the whole ef5624898187 ("Merge branch 'insufficient-tcp-source-port-randomness'") series that needs to be backported (and is being backported). Commits b2d057560b81 ("secure_seq: use the 64 bits of the siphash for port offset calculation") and 4c2c8f03a5ab ("tcp: increase source port perturb table to 2^16") are both part of it. Ah. Thank you. This is the 'insufficient-tcp-source-port-randomness' series Guillaume was talking about: https://github.com/torvalds/linux/commit/ef5624898187 Individual upstream commits: https://github.com/torvalds/linux/commit/b2d057560b81 https://github.com/torvalds/linux/commit/9e9b70ae923b https://github.com/torvalds/linux/commit/4dfa9b438ee3 https://github.com/torvalds/linux/commit/b2d057560b81 https://github.com/torvalds/linux/commit/ca7af0402550 https://github.com/torvalds/linux/commit/e9261476184b https://github.com/torvalds/linux/commit/4c2c8f03a5ab https://github.com/torvalds/linux/commit/e8161345ddbb This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:5636 https://access.redhat.com/errata/RHSA-2022:5636 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:5626 https://access.redhat.com/errata/RHSA-2022:5626 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:5633 https://access.redhat.com/errata/RHSA-2022:5633 I understand the fact that small table memory size can cause a DoS, but not the information leak. In case of overflow Linux's Kernel TCP source port generation algorithm will crash without leaking any information, in wroste case data will lack integrity but no confidentiality impact.. Did I misunderstood something? *** Bug 2096901 has been marked as a duplicate of this bug. *** In reply to comment #33: > I understand the fact that small table memory size can cause a DoS, but not > the information leak. In case of overflow Linux's Kernel TCP source port > generation algorithm will crash without leaking any information, in wroste > case data will lack integrity but no confidentiality impact.. > Did I misunderstood something? Hello Team, Observation has shown that this flaw may lead to information leak problems as well. When the table perturb size is small, an attacker can practically cover all table cells with remote destinations to the attacker server, and the attacker may observe source port information. Also, Global table perturb is shared across network interfaces and namespaces. This allows information to be leaked between interfaces. Regards This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5834 https://access.redhat.com/errata/RHSA-2022:5834 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5819 https://access.redhat.com/errata/RHSA-2022:5819 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2022:6551 https://access.redhat.com/errata/RHSA-2022:6551 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1012 The Linux kernel's TCP source port generation algorithm in the TCP stack contains a flaw due to the small table perturb size. This flaw allows an attacker to positively distinguish a system among devices with identical hardware and software, which lasts until the device restarts. An attacker can guess the evolution of the internal state used for source port generation. This information is used to infer the TCP traffic patterns of the victim, guessing the number of outgoing TCP connections established in a specific time frame, which can lead to a system fingerprinting. Red Hat Enterprise Linux version 7 (RHEL7) is not affected by this issue. While RHEL7 implements the TCP port randomization algorithm 3 (the Simple Hash-Based Port Selection Algorithm), which knowingly has shortcomings (as per RFC 6056, item 3.3.3), the object of study of this flaw was the TCP port selector algorithm 4, the Double-Hash Por Selection Algorithm, which is not existent in RHEL7. This flaw is ranked as a Moderate impact due to: * Limited exposure of the data in the TCP stack; * The impact of this vulnerability is limited to a system fingerprinting; * The requirements to carry the attack are elevated, requiring monitoring of the data flow. This CVE *DOES NOT* give respect to memory leaks or denial of service. For more information: https://arxiv.org/abs/2209.12993 https://datatracker.ietf.org/doc/html/rfc6056#section-3.3.4 https://lore.kernel.org/lkml/20220428124001.7428-1-w@1wt.eu/ https://lwn.net/Articles/910435/ |