lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024100959-CVE-2024-47659-03a8@gregkh> Date: Wed, 9 Oct 2024 16:03:02 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-47659: smack: tcp: ipv4, fix incorrect labeling Description =========== In the Linux kernel, the following vulnerability has been resolved: smack: tcp: ipv4, fix incorrect labeling Currently, Smack mirrors the label of incoming tcp/ipv4 connections: when a label 'foo' connects to a label 'bar' with tcp/ipv4, 'foo' always gets 'foo' in returned ipv4 packets. So, 1) returned packets are incorrectly labeled ('foo' instead of 'bar') 2) 'bar' can write to 'foo' without being authorized to write. Here is a scenario how to see this: * Take two machines, let's call them C and S, with active Smack in the default state (no settings, no rules, no labeled hosts, only builtin labels) * At S, add Smack rule 'foo bar w' (labels 'foo' and 'bar' are instantiated at S at this moment) * At S, at label 'bar', launch a program that listens for incoming tcp/ipv4 connections * From C, at label 'foo', connect to the listener at S. (label 'foo' is instantiated at C at this moment) Connection succeedes and works. * Send some data in both directions. * Collect network traffic of this connection. All packets in both directions are labeled with the CIPSO of the label 'foo'. Hence, label 'bar' writes to 'foo' without being authorized, and even without ever being known at C. If anybody cares: exactly the same happens with DCCP. This behavior 1st manifested in release 2.6.29.4 (see Fixes below) and it looks unintentional. At least, no explanation was provided. I changed returned packes label into the 'bar', to bring it into line with the Smack documentation claims. The Linux kernel CVE team has assigned CVE-2024-47659 to this issue. Affected and fixed versions =========================== Fixed in 4.19.322 with commit d3f56c653c65 Fixed in 5.4.284 with commit 5b4b304f196c Fixed in 5.10.226 with commit a948ec993541 Fixed in 5.15.167 with commit 0aea09e82eaf Fixed in 6.1.109 with commit 0776bcf9cb6d Fixed in 6.6.50 with commit 4be9fd15c3c8 Fixed in 6.10.9 with commit d3703fa94116 Fixed in 6.11 with commit 2fe209d0ad2e Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-47659 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: security/smack/smack_lsm.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/d3f56c653c65f170b172d3c23120bc64ada645d8 https://git.kernel.org/stable/c/5b4b304f196c070342e32a4752e1fa2e22fc0671 https://git.kernel.org/stable/c/a948ec993541db4ef392b555c37a1186f4d61670 https://git.kernel.org/stable/c/0aea09e82eafa50a373fc8a4b84c1d4734751e2c https://git.kernel.org/stable/c/0776bcf9cb6de46fdd94d10118de1cf9b05f83b9 https://git.kernel.org/stable/c/4be9fd15c3c88775bdf6fa37acabe6de85beebff https://git.kernel.org/stable/c/d3703fa94116fed91f64c7d1c7d284fb4369070f https://git.kernel.org/stable/c/2fe209d0ad2e2729f7e22b9b31a86cc3ff0db550
Powered by blists - more mailing lists