On 10/29/24 08:03, Joel GUITTET wrote:
We would like to ask your advice about the CVE-2024-36905 (tcp shutdown vulnerability). NIST indicates a network vector while AWS and Red Hat indicates local attack vector. Our cybersecurity team has difficulties to justify that a local vector is appropriate here. Can you help us to understand this specific point for this CVE ? The hypothesis we have is that a TCP socket need to be open/closed quickly, and maybe it's not possible remotely ?
From my understanding of Git commit 94062790aedb505bdda209b10bea47b294d6394f (<URL:https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=94062790aedb505bdda209b10bea47b294d6394f>), this appears to be a race condition where a program (running locally) calls connect(2) and then shutdown(2) without actually attempting to transfer any data, with a further constraint that certain packets (I am unsure precisely what) must have been transferred such that the TCP connection is half-opened. It *might* be possible to cause this crash remotely if a program attempts to set up a unidirectional TCP connection (achieved by shutting down the undesired direction) but I am unsure if any such programs are actually in use.
I would need to further study the Linux networking code to be sure, but a comment updated in the patch seems to imply that this is an edge case that was previously believed to be impossible to reach. I suspect NIST labeled it "network" because TCP is involved, but as of this writing <URL:https://nvd.nist.gov/vuln/detail/CVE-2024-36905> says "This vulnerability is currently awaiting analysis." so I would expect NIST's indication to be revised after that analysis is completed.
Again, this issue is probably only remotely exploitable if the host is running a very unusual client program, but a local exploit can supply the required oddly-behaving program.
-- Jacob
