Bug 2064604 (CVE-2022-1012) - CVE-2022-1012 kernel: Small table perturb size in the TCP source port generation algorithm can lead to information leak
Summary: CVE-2022-1012 kernel: Small table perturb size in the TCP source port generat...
Keywords:
Status: NEW
Alias: CVE-2022-1012
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: CVE-2022-32296 (view as bug list)
Depends On: 2064868 2064870 2064876 2064883 2070049 2064867 2064869 2064871 2064872 2064873 2064874 2064875 2064877 2064878 2064879 2064880 2064881 2064884 2064885 2064886 2064887 2070048 2083483 2083484 2083598 2083599 2083600 2083601 2083602 2083603 2083604 2083605 2083606 2083607 2083608 2083609 2083630 2087128 2087129 2087130 2087131 2087132
Blocks: 2064600 2065289 2096903
TreeView+ depends on / blocked
 
Reported: 2022-03-16 09:08 UTC by Rohit Keshri
Modified: 2022-08-12 04:29 UTC (History)
64 users (show)

Fixed In Version: kernel 5.18-rc6
Doc Type: If docs needed, set a value
Doc Text:
Due to the small table perturb size, a memory leak flaw was found in the Linux kernel’s TCP source port generation algorithm in the net/ipv4/tcp.c function. This flaw allows an attacker to leak information and may cause a denial of service.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:5457 0 None None None 2022-06-30 17:42:30 UTC
Red Hat Product Errata RHBA-2022:5744 0 None None None 2022-07-27 17:36:57 UTC
Red Hat Product Errata RHBA-2022:5746 0 None None None 2022-07-28 05:30:10 UTC
Red Hat Product Errata RHBA-2022:5925 0 None None None 2022-08-08 16:24:39 UTC
Red Hat Product Errata RHSA-2022:5214 0 None None None 2022-06-28 06:55:30 UTC
Red Hat Product Errata RHSA-2022:5220 0 None None None 2022-06-28 07:55:29 UTC
Red Hat Product Errata RHSA-2022:5224 0 None None None 2022-06-28 07:54:13 UTC
Red Hat Product Errata RHSA-2022:5249 0 None None None 2022-06-28 14:59:30 UTC
Red Hat Product Errata RHSA-2022:5267 0 None None None 2022-06-28 10:43:14 UTC
Red Hat Product Errata RHSA-2022:5626 0 None None None 2022-07-19 21:06:11 UTC
Red Hat Product Errata RHSA-2022:5633 0 None None None 2022-07-19 21:07:59 UTC
Red Hat Product Errata RHSA-2022:5636 0 None None None 2022-07-19 15:28:44 UTC
Red Hat Product Errata RHSA-2022:5819 0 None None None 2022-08-03 13:02:03 UTC
Red Hat Product Errata RHSA-2022:5834 0 None None None 2022-08-02 08:15:35 UTC

Description Rohit Keshri 2022-03-16 09:08:37 UTC
A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of service problem.

Reference:
https://kernel.googlesource.com/pub/scm/linux/kernel/git/jkirsher/net-queue/+/b2d057560b8107c633b39aabe517ff9d93f285e3%5E%21/

Comment 18 chris.cook@baesystems.com 2022-06-20 13:09:21 UTC
(In reply to Rohit Keshri from comment #0)
> A memory leak problem was found in the TCP source port generation algorithm
> in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow
> an attacker to information leak and may cause a denial of service problem.
> 
> Reference:
> https://kernel.googlesource.com/pub/scm/linux/kernel/git/jkirsher/net-queue/
> +/b2d057560b8107c633b39aabe517ff9d93f285e3%5E%21/

Are the Doc Text and reference misaligned?: The description states that the bug lies within net/ipv4/tcp.c but https://kernel.googlesource.com/pub/scm/linux/kernel/git/jkirsher/net-queue/+/b2d057560b8107c633b39aabe517ff9d93f285e3%5E%21/ contains changes in many kernel source files _other_ than tcp.c.

Comment 19 errata-xmlrpc 2022-06-28 06:55:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5214 https://access.redhat.com/errata/RHSA-2022:5214

Comment 20 errata-xmlrpc 2022-06-28 07:54:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5224 https://access.redhat.com/errata/RHSA-2022:5224

Comment 21 errata-xmlrpc 2022-06-28 07:55:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5220 https://access.redhat.com/errata/RHSA-2022:5220

Comment 22 errata-xmlrpc 2022-06-28 10:43:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5267 https://access.redhat.com/errata/RHSA-2022:5267

Comment 23 errata-xmlrpc 2022-06-28 14:59:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5249 https://access.redhat.com/errata/RHSA-2022:5249

Comment 24 John Haxby 2022-06-28 16:35:45 UTC
(In reply to chris.cook@baesystems.com from comment #18)
> (In reply to Rohit Keshri from comment #0)
> > A memory leak problem was found in the TCP source port generation algorithm
> > in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow
> > an attacker to information leak and may cause a denial of service problem.
> > 
> > Reference:
> > https://kernel.googlesource.com/pub/scm/linux/kernel/git/jkirsher/net-queue/
> > +/b2d057560b8107c633b39aabe517ff9d93f285e3%5E%21/
> 
> Are the Doc Text and reference misaligned?: The description states that the
> bug lies within net/ipv4/tcp.c but
> https://kernel.googlesource.com/pub/scm/linux/kernel/git/jkirsher/net-queue/
> +/b2d057560b8107c633b39aabe517ff9d93f285e3%5E%21/ contains changes in many
> kernel source files _other_ than tcp.c.

I believe this should actually be 4c2c8f03a5ab ("tcp: increase source port perturb table to 2^16").

Comment 25 Guillaume Nault 2022-06-29 19:26:37 UTC
(In reply to John Haxby from comment #24)
> (In reply to chris.cook@baesystems.com from comment #18)
> > (In reply to Rohit Keshri from comment #0)
> > > A memory leak problem was found in the TCP source port generation algorithm
> > > in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow
> > > an attacker to information leak and may cause a denial of service problem.
> > > 
> > > Reference:
> > > https://kernel.googlesource.com/pub/scm/linux/kernel/git/jkirsher/net-queue/
> > > +/b2d057560b8107c633b39aabe517ff9d93f285e3%5E%21/
> > 
> > Are the Doc Text and reference misaligned?: The description states that the
> > bug lies within net/ipv4/tcp.c but
> > https://kernel.googlesource.com/pub/scm/linux/kernel/git/jkirsher/net-queue/
> > +/b2d057560b8107c633b39aabe517ff9d93f285e3%5E%21/ contains changes in many
> > kernel source files _other_ than tcp.c.

I understand the reference to tcp.c can be confusing, as it doesn't need to be modified.
The core of the source port selection algorithm is actually implemented by __inet_hash_connect(), in net/ipv4/inet_hashtables.c (but its callers and a few helper functions also need to be modified).
The commit cited in the description, that is commit b2d057560b81 ("secure_seq: use the 64 bits of the siphash for port offset calculation"), is just the first patch in the series to backport.

> I believe this should actually be 4c2c8f03a5ab ("tcp: increase source port
> perturb table to 2^16").

Well, it's the whole ef5624898187 ("Merge branch 'insufficient-tcp-source-port-randomness'") series that needs to be backported (and is being backported).
Commits b2d057560b81 ("secure_seq: use the 64 bits of the siphash for port offset calculation") and 4c2c8f03a5ab ("tcp: increase source port perturb table to 2^16") are both part of it.

Comment 26 John Haxby 2022-06-29 19:38:43 UTC
Ah.  Thank you.

Comment 30 errata-xmlrpc 2022-07-19 15:28:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:5636 https://access.redhat.com/errata/RHSA-2022:5636

Comment 31 errata-xmlrpc 2022-07-19 21:06:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5626 https://access.redhat.com/errata/RHSA-2022:5626

Comment 32 errata-xmlrpc 2022-07-19 21:07:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5633 https://access.redhat.com/errata/RHSA-2022:5633

Comment 33 guillier.anthony 2022-07-30 09:42:04 UTC
I understand the fact that small table memory size can cause a DoS, but not the information leak. In case of overflow Linux's Kernel TCP source port generation algorithm will crash without leaking any information, in wroste case data will lack integrity but no confidentiality impact..
Did I misunderstood something?

Comment 34 Rohit Keshri 2022-08-01 14:44:35 UTC
*** Bug 2096901 has been marked as a duplicate of this bug. ***

Comment 35 Rohit Keshri 2022-08-01 18:14:10 UTC
In reply to comment #33:
> I understand the fact that small table memory size can cause a DoS, but not
> the information leak. In case of overflow Linux's Kernel TCP source port
> generation algorithm will crash without leaking any information, in wroste
> case data will lack integrity but no confidentiality impact..
> Did I misunderstood something?

Hello Team,

Observation has shown that this flaw may lead to information leak problems as well.
 
When the table perturb size is small, an attacker can practically cover all table cells with remote destinations to the attacker server, and the attacker may observe source port information.

Also, Global table perturb is shared across network interfaces and namespaces. This allows information to be leaked between interfaces.   


Regards

Comment 36 errata-xmlrpc 2022-08-02 08:15:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5834 https://access.redhat.com/errata/RHSA-2022:5834

Comment 37 errata-xmlrpc 2022-08-03 13:01:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5819 https://access.redhat.com/errata/RHSA-2022:5819


Note You need to log in before you can comment on or make changes to this bug.