CVE-2024-47659 Information

Nov 01, 2024 cve

Description

In the Linux kernel the following vulnerability has been resolved:

smack: tcp: ipv4 fix incorrect labeling

Currently Smack mirrors the label of incoming tcp/ipv4 connections: when a label ‘foo’ connects to a label ‘bar’ with tcp/ipv4 ‘foo’ always gets ‘foo’ in returned ipv4 packets. So

returned packets are incorrectly labeled (‘foo’ instead of ‘bar’)
‘bar’ can write to ‘foo’ without being authorized to write.

Here is a scenario how to see this:

Take two machines let’s call them C and S with active Smack in the default state (no settings no rules no labeled hosts only builtin labels)

At S add Smack rule ‘foo bar w’ (labels ‘foo’ and ‘bar’ are instantiated at S at this moment)

At S at label ‘bar’ launch a program that listens for incoming tcp/ipv4 connections

From C at label ‘foo’ connect to the listener at S. (label ‘foo’ is instantiated at C at this moment) Connection succeedes and works.

Send some data in both directions. Collect network traffic of this connection.

All packets in both directions are labeled with the CIPSO of the label ‘foo’. Hence label ‘bar’ writes to ‘foo’ without being authorized and even without ever being known at C.

If anybody cares: exactly the same happens with DCCP.

This behavior 1st manifested in release 2.6.29.4 (see Fixes below) and it looks unintentional. At least no explanation was provided.

I changed returned packes label into the ‘bar’ to bring it into line with the Smack documentation claims.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8

Share on: