Bug 2212140 (CVE-2020-36694)

Summary: CVE-2020-36694 kernel: netfilter: use-after-free in the packet processing context
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, crwood, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jpazdziora, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, ldoskova, lgoncalv, lleshchi, lzampier, nmurray, ptalbert, qzhao, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.10 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the packet processing context in net/netfilter/x_tables.c in netfilter in the Linux Kernel. This issue occurs when the per-CPU sequence count is mishandled during concurrent iptables rules replacement and can be exploited with the CAP_NET_ADMIN capability in an unprivileged namespace.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-04 14:46:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1858099, 1906915, 2231817, 2231818    
Bug Blocks: 2208953    

Description Rohit Keshri 2023-06-04 09:34:14 UTC 
A vulnerability was found in net/netfilter/x_tables.c in netfilter in the Linux Kernel. There can be a use-after-free in the packet processing context, because the per-CPU sequence count is mishandled during concurrent iptables rules replacement. This could be exploited with the CAP_NET_ADMIN capability in an unprivileged namespace.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cc00bcaa589914096edef7fb87ca5cee4a166b5c
Comment 1 Rohit Keshri 2023-06-04 09:45:06 UTC 
This flaw is marked moderate as the attacker need a special privilege of CAP_NET_ADMIN to exploit this usecase.
Comment 4 Product Security DevOps Team 2023-06-04 14:46:51 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-36694
Comment 5 Jan Pazdziora (Red Hat) 2023-07-27 08:52:23 UTC 
Hello Rohit,

while doing review of the Vulnerability Assessment report of RHEL 8.6 for the purpose of Common Criteria certification, we came across this CVE.

This bugzilla does not dispute that this CVE with moderate impact exists. Yet the CVE page https://access.redhat.com/security/cve/CVE-2020-36694 says Not affected for all supported RHELs, rather than Wontfix or something similar.

Could you please check and update the CVE page to more correctly reflect situation with this CVE?

Thank you, Jan
Comment 9 Mauro Matteo Cascella 2023-08-14 09:33:19 UTC 
This issue was fixed upstream in kernel version 5.10. The kernel packages as shipped in Red Hat Enterprise Linux 8 were previously updated to a version that contains the fix via the following errata:

kernel in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHSA-2021:1578

kernel-rt in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHSA-2021:1739