Bug 2277238 (CVE-2024-36886) - CVE-2024-36886 kernel: TIPC message reassembly use-after-free remote code execution vulnerability
Summary: CVE-2024-36886 kernel: TIPC message reassembly use-after-free remote code exe...
Keywords:
Status: NEW
Alias: CVE-2024-36886
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
: 2284262 (view as bug list)
Depends On: 2292593
Blocks: 2284293 2277237
TreeView+ depends on / blocked
 
Reported: 2024-04-25 22:26 UTC by Robb Gatica
Modified: 2024-10-21 09:45 UTC (History)
52 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:4691 0 None None None 2024-07-22 06:55:25 UTC
Red Hat Product Errata RHBA-2024:5117 0 None None None 2024-08-08 08:32:49 UTC
Red Hat Product Errata RHBA-2024:5207 0 None None None 2024-08-12 07:53:05 UTC
Red Hat Product Errata RHBA-2024:5208 0 None None None 2024-08-12 08:33:35 UTC
Red Hat Product Errata RHBA-2024:5233 0 None None None 2024-08-12 13:51:16 UTC
Red Hat Product Errata RHBA-2024:5235 0 None None None 2024-08-12 14:23:55 UTC
Red Hat Product Errata RHBA-2024:5236 0 None None None 2024-08-12 14:40:00 UTC
Red Hat Product Errata RHBA-2024:5237 0 None None None 2024-08-12 14:43:00 UTC
Red Hat Product Errata RHBA-2024:5386 0 None None None 2024-08-14 10:47:49 UTC
Red Hat Product Errata RHBA-2024:5866 0 None None None 2024-08-26 14:39:24 UTC
Red Hat Product Errata RHSA-2024:4447 0 None None None 2024-07-10 00:13:28 UTC
Red Hat Product Errata RHSA-2024:4533 0 None None None 2024-07-15 05:12:55 UTC
Red Hat Product Errata RHSA-2024:4547 0 None None None 2024-07-15 16:05:21 UTC
Red Hat Product Errata RHSA-2024:4548 0 None None None 2024-07-15 16:02:45 UTC
Red Hat Product Errata RHSA-2024:4554 0 None None None 2024-07-15 21:23:37 UTC
Red Hat Product Errata RHSA-2024:4583 0 None None None 2024-07-17 00:48:54 UTC
Red Hat Product Errata RHSA-2024:4713 0 None None None 2024-07-23 00:17:43 UTC
Red Hat Product Errata RHSA-2024:5101 0 None None None 2024-08-08 04:53:16 UTC
Red Hat Product Errata RHSA-2024:5102 0 None None None 2024-08-08 04:41:49 UTC
Red Hat Product Errata RHSA-2024:5255 0 None None None 2024-08-13 00:27:05 UTC
Red Hat Product Errata RHSA-2024:5256 0 None None None 2024-08-13 00:10:45 UTC
Red Hat Product Errata RHSA-2024:5257 0 None None None 2024-08-13 00:16:46 UTC
Red Hat Product Errata RHSA-2024:5520 0 None None None 2024-08-19 01:22:56 UTC
Red Hat Product Errata RHSA-2024:5522 0 None None None 2024-08-19 05:49:39 UTC
Red Hat Product Errata RHSA-2024:5858 0 None None None 2024-08-26 11:22:11 UTC
Red Hat Product Errata RHSA-2024:7002 0 None None None 2024-09-24 01:05:29 UTC
Red Hat Product Errata RHSA-2024:7003 0 None None None 2024-09-24 00:47:05 UTC
Red Hat Product Errata RHSA-2024:7427 0 None None None 2024-10-01 00:32:25 UTC

Description Robb Gatica 2024-04-25 22:26:43 UTC 
Summary:
A UAF bug exists within the reassembly of fragmented TIPC messages, specifically in `tipc_buf_append()` function. The issue results due to a lack of checks in the error handling cleanup. It leads to UAF on `struct sk_buff`. Note: The vulnerable path can also be reached in a very similar manner via `TUNNEL_PROTOCOL` messages

The bug can be triggered in local without any permission and capability:

./poc "127.0.0.1" l

The victim requires the below config on ubuntu in order to trigger it remotely. This enables the TIPC bearer on the interface:
```
modprobe tipc
tipc bearer enable media udp name UDP1 localip [victim IP]
./poc "[victim IP]" r
```

References:
https://lore.kernel.org/all/752f1ccf762223d109845365d07f55414058e5a3.1714484273.git.pabeni@redhat.com/
https://lore.kernel.org/linux-cve-announce/2024053033-CVE-2024-36886-dd83@gregkh/T/#u
Comment 11 Alex 2024-06-16 16:13:59 UTC 
*** Bug 2284262 has been marked as a duplicate of this bug. ***
Comment 15 Alex 2024-06-16 16:54:48 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2292593]
Comment 19 errata-xmlrpc 2024-07-10 00:13:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:4447 https://access.redhat.com/errata/RHSA-2024:4447
Comment 20 errata-xmlrpc 2024-07-15 05:12:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4533 https://access.redhat.com/errata/RHSA-2024:4533
Comment 21 errata-xmlrpc 2024-07-15 16:02:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4548 https://access.redhat.com/errata/RHSA-2024:4548
Comment 22 errata-xmlrpc 2024-07-15 16:05:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions

Via RHSA-2024:4547 https://access.redhat.com/errata/RHSA-2024:4547
Comment 24 errata-xmlrpc 2024-07-15 21:23:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4554 https://access.redhat.com/errata/RHSA-2024:4554
Comment 25 errata-xmlrpc 2024-07-17 00:48:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4583 https://access.redhat.com/errata/RHSA-2024:4583
Comment 26 errata-xmlrpc 2024-07-23 00:17:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4713 https://access.redhat.com/errata/RHSA-2024:4713
Comment 28 errata-xmlrpc 2024-08-08 04:41:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5102 https://access.redhat.com/errata/RHSA-2024:5102
Comment 29 errata-xmlrpc 2024-08-08 04:53:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5101 https://access.redhat.com/errata/RHSA-2024:5101
Comment 30 errata-xmlrpc 2024-08-13 00:10:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:5256 https://access.redhat.com/errata/RHSA-2024:5256
Comment 31 errata-xmlrpc 2024-08-13 00:16:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:5257 https://access.redhat.com/errata/RHSA-2024:5257
Comment 32 errata-xmlrpc 2024-08-13 00:27:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:5255 https://access.redhat.com/errata/RHSA-2024:5255
Comment 33 errata-xmlrpc 2024-08-19 01:22:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:5520 https://access.redhat.com/errata/RHSA-2024:5520
Comment 34 errata-xmlrpc 2024-08-19 05:49:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5522 https://access.redhat.com/errata/RHSA-2024:5522
Comment 35 errata-xmlrpc 2024-08-26 11:22:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:5858 https://access.redhat.com/errata/RHSA-2024:5858
Comment 36 errata-xmlrpc 2024-09-24 00:47:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:7003 https://access.redhat.com/errata/RHSA-2024:7003
Comment 37 errata-xmlrpc 2024-09-24 01:05:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:7002 https://access.redhat.com/errata/RHSA-2024:7002
Comment 38 errata-xmlrpc 2024-10-01 00:32:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:7427 https://access.redhat.com/errata/RHSA-2024:7427
Note You need to log in before you can comment on or make changes to this bug.