Bug 2212140 (CVE-2020-36694) - CVE-2020-36694 kernel: netfilter: use-after-free in the packet processing context
Summary: CVE-2020-36694 kernel: netfilter: use-after-free in the packet processing con...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-36694
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1858099 1906915 2231817 2231818
Blocks: 2208953
TreeView+ depends on / blocked
 
Reported: 2023-06-04 09:34 UTC by Rohit Keshri
Modified: 2023-08-21 15:39 UTC (History)
45 users (show)

Fixed In Version: kernel 5.10
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the packet processing context in net/netfilter/x_tables.c in netfilter in the Linux Kernel. This issue occurs when the per-CPU sequence count is mishandled during concurrent iptables rules replacement and can be exploited with the CAP_NET_ADMIN capability in an unprivileged namespace.
Clone Of:
Environment:
Last Closed: 2023-06-04 14:46:55 UTC
Embargoed:


Attachments (Terms of Use)

Description Rohit Keshri 2023-06-04 09:34:14 UTC
A vulnerability was found in net/netfilter/x_tables.c in netfilter in the Linux Kernel. There can be a use-after-free in the packet processing context, because the per-CPU sequence count is mishandled during concurrent iptables rules replacement. This could be exploited with the CAP_NET_ADMIN capability in an unprivileged namespace.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cc00bcaa589914096edef7fb87ca5cee4a166b5c

Comment 1 Rohit Keshri 2023-06-04 09:45:06 UTC
This flaw is marked moderate as the attacker need a special privilege of CAP_NET_ADMIN to exploit this usecase.

Comment 4 Product Security DevOps Team 2023-06-04 14:46:51 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-36694

Comment 5 Jan Pazdziora 2023-07-27 08:52:23 UTC
Hello Rohit,

while doing review of the Vulnerability Assessment report of RHEL 8.6 for the purpose of Common Criteria certification, we came across this CVE.

This bugzilla does not dispute that this CVE with moderate impact exists. Yet the CVE page https://access.redhat.com/security/cve/CVE-2020-36694 says Not affected for all supported RHELs, rather than Wontfix or something similar.

Could you please check and update the CVE page to more correctly reflect situation with this CVE?

Thank you, Jan

Comment 9 Mauro Matteo Cascella 2023-08-14 09:33:19 UTC
This issue was fixed upstream in kernel version 5.10. The kernel packages as shipped in Red Hat Enterprise Linux 8 were previously updated to a version that contains the fix via the following errata:

kernel in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHSA-2021:1578

kernel-rt in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHSA-2021:1739


Note You need to log in before you can comment on or make changes to this bug.