Bug 2277238 (CVE-2024-36886) - CVE-2024-36886 kernel: TIPC message reassembly use-after-free remote code execution vulnerability
Summary: CVE-2024-36886 kernel: TIPC message reassembly use-after-free remote code exe...
Keywords:
Status: NEW
Alias: CVE-2024-36886
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
: 2284262 (view as bug list)
Depends On: 2292593
Blocks: 2284293 2277237
TreeView+ depends on / blocked
 
Reported: 2024-04-25 22:26 UTC by Robb Gatica
Modified: 2024-07-15 05:12 UTC (History)
51 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free (UAF) flaw exists in the Linux Kernel within the reassembly of fragmented TIPC messages, specifically in the tipc_buf_append() function. The issue results due to a lack of checks in the error handling cleanup and can trigger a UAF on "struct sk_buff", which may lead to remote code execution.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:4447 0 None None None 2024-07-10 00:13:28 UTC
Red Hat Product Errata RHSA-2024:4533 0 None None None 2024-07-15 05:12:55 UTC

Description Robb Gatica 2024-04-25 22:26:43 UTC
Summary:
A UAF bug exists within the reassembly of fragmented TIPC messages, specifically in `tipc_buf_append()` function. The issue results due to a lack of checks in the error handling cleanup. It leads to UAF on `struct sk_buff`. Note: The vulnerable path can also be reached in a very similar manner via `TUNNEL_PROTOCOL` messages

The bug can be triggered in local without any permission and capability:

./poc "127.0.0.1" l

The victim requires the below config on ubuntu in order to trigger it remotely. This enables the TIPC bearer on the interface:
```
modprobe tipc
tipc bearer enable media udp name UDP1 localip [victim IP]
./poc "[victim IP]" r
```

References:
https://lore.kernel.org/all/752f1ccf762223d109845365d07f55414058e5a3.1714484273.git.pabeni@redhat.com/
https://lore.kernel.org/linux-cve-announce/2024053033-CVE-2024-36886-dd83@gregkh/T/#u

Comment 11 Alex 2024-06-16 16:13:59 UTC
*** Bug 2284262 has been marked as a duplicate of this bug. ***

Comment 15 Alex 2024-06-16 16:54:48 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2292593]

Comment 19 errata-xmlrpc 2024-07-10 00:13:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:4447 https://access.redhat.com/errata/RHSA-2024:4447

Comment 20 errata-xmlrpc 2024-07-15 05:12:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4533 https://access.redhat.com/errata/RHSA-2024:4533


Note You need to log in before you can comment on or make changes to this bug.