Bug 1850716 (CVE-2020-14305) - CVE-2020-14305 kernel: memory corruption in Voice over IP nf_conntrack_h323 module
Summary: CVE-2020-14305 kernel: memory corruption in Voice over IP nf_conntrack_h323 m...
Alias: CVE-2020-14305
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1845428 1851897 1851898 1851899 1888690
Blocks: 1845628
TreeView+ depends on / blocked
Reported: 2020-06-24 19:25 UTC by Alex
Modified: 2021-02-16 19:46 UTC (History)
46 users (show)

Fixed In Version: kernel 4.12-rc1
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Last Closed: 2020-09-29 22:01:59 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4060 0 None None None 2020-09-29 20:54:32 UTC
Red Hat Product Errata RHSA-2020:4062 0 None None None 2020-09-29 19:00:08 UTC

Description Alex 2020-06-24 19:25:13 UTC
A flaw memory corruption in the Linux kernel Voice over IP h323-conntrack-nat module was found.
An attacker could use this flaw to corrupt the memory.
For reproducing, need to establish connection to the port 1720 that is being used during call setup negotiation.
For ipv4 no crash (kernel panic), so for detecting corruption need to use ipv6.
The corruption happens for fields of struct nf_ct_ext (usually nf_ct_nat is located after nf_conn_help, but possibly nf_conn_nat and other that located in memory right after nf_conn_help).
In most cases the overlapping bytes were zero (if without debug options), so attacker cannot control directly what is being written to the corrupted memory, but at least one numerical value could be modified with tpktlen (so attacker can change TCP/IP packet payload size to control what is being written to some corrupted Int value).

The patch is: https://patchwork.ozlabs.org/project/netfilter-devel/patch/c2385b5c-309c-cc64-2e10-a0ef62897502@virtuozzo.com/

Comment 5 Alex 2020-06-28 15:02:39 UTC

Name: Vasily Averin (Virtuozzo)

Comment 10 Petr Matousek 2020-07-01 12:14:37 UTC

This issue is rated as having Moderate impact because of being limited to only IPV6 port 1720 being used and if with particular module (nf_conntrack_h323) for Voice Over IP H.323.

Comment 11 Petr Matousek 2020-07-01 12:14:43 UTC

A mitigation to this flaw would be to no longer use IPV6 on affected hardware until the kernel has been updated or to disable Voice Over IP H.323 module. Existing systems that have h323-conntrack-nat kernel module loaded will need to unload the "nf_conntrack_h323" kernel module and blacklist it ( See https://access.redhat.com/solutions/41278 for a guide on how to blacklist modules).

Comment 12 errata-xmlrpc 2020-09-29 19:00:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062

Comment 13 errata-xmlrpc 2020-09-29 20:54:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060

Comment 14 Product Security DevOps Team 2020-09-29 22:01:59 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.