A flaw memory corruption in the Linux kernel Voice over IP h323-conntrack-nat module was found. An attacker could use this flaw to corrupt the memory. For reproducing, need to establish connection to the port 1720 that is being used during call setup negotiation. For ipv4 no crash (kernel panic), so for detecting corruption need to use ipv6. The corruption happens for fields of struct nf_ct_ext (usually nf_ct_nat is located after nf_conn_help, but possibly nf_conn_nat and other that located in memory right after nf_conn_help). In most cases the overlapping bytes were zero (if without debug options), so attacker cannot control directly what is being written to the corrupted memory, but at least one numerical value could be modified with tpktlen (so attacker can change TCP/IP packet payload size to control what is being written to some corrupted Int value). The patch is: https://patchwork.ozlabs.org/project/netfilter-devel/patch/c2385b5c-309c-cc64-2e10-a0ef62897502@virtuozzo.com/
External References: https://bugs.openvz.org/browse/OVZ-7188 https://patchwork.ozlabs.org/project/netfilter-devel/patch/c2385b5c-309c-cc64-2e10-a0ef62897502@virtuozzo.com/
Acknowledgments: Name: Vasily Averin (Virtuozzo)
Statement: This issue is rated as having Moderate impact because of being limited to only IPV6 port 1720 being used and if with particular module (nf_conntrack_h323) for Voice Over IP H.323.
Mitigation: A mitigation to this flaw would be to no longer use IPV6 on affected hardware until the kernel has been updated or to disable Voice Over IP H.323 module. Existing systems that have h323-conntrack-nat kernel module loaded will need to unload the "nf_conntrack_h323" kernel module and blacklist it ( See https://access.redhat.com/solutions/41278 for a guide on how to blacklist modules).
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14305