Bug 2258875 (CVE-2023-52881, RHV-2024-1001)

Summary: CVE-2023-52881 kernel: TCP-spoofed ghost ACKs and leak leak initial sequence number
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, aquini, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, esandeen, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lxin, lzampier, mleitner, mmilgram, mstowell, nmurray, ptalbert, rgatica, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, security-response-team, sidakwo, sukulkar, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. Two TCP spoofing primitives exist where an attacker can brute force the server-chosen send window by acknowledging data that was never sent, called "ghost ACKs." There are side channels that also allow the attacker to leak the otherwise secret server-chosen initial sequence number (ISN). One of these side channels leverages TCP SYN cookies.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2279717    
Bug Blocks: 2249132    

Description Rohit Keshri 2024-01-17 20:35:27 UTC 
Dear Linux Developers,

We're reaching out to you as part of the disclosure process of our research.

In our research, which we will present at IEEE Security & Privacy in May 2024, we found that attackers can not only create TCP-spoofed connections (which was already known), but can also reliably transmit IP-spoofed data over such connections. This has security implications for applications that rely on TCP endpoint IP addresses, such as firewalling or host-based authentication (e.g., SMTP/SPF, of DBs).

We basically discovered two TCP spoofing primitives. First, attackers can bruteforce the server-chosen send window by acknowledging data that was never sent (what we call "ghost ACKs"; see Figure 3 in the paper). Second, we show that there are side channels that allow the attacker to leak the otherwise-secret server-chosen initial sequence number (ISN). One of these side channels leverages TCP SYN cookies.

We believe that the TCP/IP stack can take countermeasures to prevent such attacks, or at least make them harder. For example, we think that TCP endpoints should ignore ghost ACKs, and have some ideas to randomize the TCP backlog queue to prevent the SYN cookie side channel. 

At the same time, we have disclosed our findings to the IETF folks and hope that they have helpful feedback for us.
Comment 4 Alex 2024-02-05 13:23:44 UTC 
*** Bug 2262763 has been marked as a duplicate of this bug. ***
Comment 12 Alex 2024-05-08 09:07:39 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2279717]
Comment 16 Alex 2024-06-09 15:45:42 UTC 
The result of automatic check (that is developed by Alexander Larkin) for this CVE-2023-52881 is: CHECK	Maybe valid. Check manually. with impact MODERATE (that is approximation based on flags REMOTE NETWORK IMPROVEONLY  ; these flags parsed automatically based on patche data). Such automatic check happens only for Low/Moderates (and only when not from reporter, but parsing already existing CVE). Highs always checked manually (I check it myself and then we check it again in Remediation team). In rare cases some of the Moderates could be increased to High later.
Comment 24 errata-xmlrpc 2024-07-02 08:53:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4211 https://access.redhat.com/errata/RHSA-2024:4211
Comment 25 errata-xmlrpc 2024-07-08 02:01:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4352 https://access.redhat.com/errata/RHSA-2024:4352
Comment 27 errata-xmlrpc 2024-08-13 14:32:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:5281 https://access.redhat.com/errata/RHSA-2024:5281
Comment 29 errata-xmlrpc 2024-09-03 15:42:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:6206 https://access.redhat.com/errata/RHSA-2024:6206
Comment 31 errata-xmlrpc 2024-12-04 00:16:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:10773 https://access.redhat.com/errata/RHSA-2024:10773
Comment 32 errata-xmlrpc 2024-12-04 00:42:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:10772 https://access.redhat.com/errata/RHSA-2024:10772