CVE-2022-48687

2024-05-0300:00:00

ubuntu.com

linux kernel

ipv6 vulnerability

hmac data

netlink

out-of-bounds read

srv6 layer

security issue

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

5.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.4%

JSON

In the Linux kernel, the following vulnerability has been resolved: ipv6:
sr: fix out-of-bounds read when setting HMAC data. The SRv6 layer allows
defining HMAC data that can later be used to sign IPv6 Segment Routing
Headers. This configuration is realised via netlink through four
attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and
SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the
actual length of the SECRET attribute, it is possible to provide invalid
combinations (e.g., secret = “”, secretlen = 64). This case is not checked
in the code and with an appropriately crafted netlink message, an
out-of-bounds read of up to 64 bytes (max secret length) can occur past the
skb end pointer and into skb_shared_info: Breakpoint 1, seg6_genl_sethmac
(skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 208
memcpy(hinfo->secret, secret, slen); (gdb) bt #0 seg6_genl_sethmac
(skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 #1
0xffffffff81e012e9 in genl_family_rcv_msg_doit
(skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,
extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80,
hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>,
family=<optimized out>) at net/netlink/genetlink.c:731 #2
0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0,
nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, family=0xffffffff82fef6c0
<seg6_genl_family>) at net/netlink/genetlink.c:775 #3 genl_rcv_msg
(skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0)
at net/netlink/genetlink.c:792 #4 0xffffffff81dfffc3 in netlink_rcv_skb
(skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350
<genl_rcv_msg>) at net/netlink/af_netlink.c:2501 #5 0xffffffff81e00919 in
genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 #6
0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800,
skb=0xffff88800b1f9f00, sk=0xffff888004aed000) at
net/netlink/af_netlink.c:1319 #7 netlink_unicast
(ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00,
portid=portid@entry=0, nonblock=<optimized out>) at
net/netlink/af_netlink.c:1345 #8 0xffffffff81dff9a4 in netlink_sendmsg
(sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at
net/netlink/af_netlink.c:1921 … (gdb) p/x ((struct sk_buff
*)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end
$1 = 0xffff88800b1b76c0 (gdb) p/x secret $2 = 0xffff88800b1b76c0 (gdb) p
slen $3 = 64 ‘@’ The OOB data can then be read back from userspace by
dumping HMAC state. This commit fixes this by ensuring SECRETLEN cannot
exceed the actual length of SECRET.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchlinux< anyUNKNOWN
ubuntu20.04noarchlinux< anyUNKNOWN
ubuntu22.04noarchlinux< anyUNKNOWN
ubuntu23.10noarchlinux< anyUNKNOWN
ubuntu24.04noarchlinux< anyUNKNOWN
ubuntu14.04noarchlinux< anyUNKNOWN
ubuntu16.04noarchlinux< anyUNKNOWN
ubuntu18.04noarchlinux-aws< anyUNKNOWN
ubuntu20.04noarchlinux-aws< anyUNKNOWN
ubuntu22.04noarchlinux-aws< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	linux	< any	UNKNOWN
ubuntu	20.04	noarch	linux	< any	UNKNOWN
ubuntu	22.04	noarch	linux	< any	UNKNOWN
ubuntu	23.10	noarch	linux	< any	UNKNOWN
ubuntu	24.04	noarch	linux	< any	UNKNOWN
ubuntu	14.04	noarch	linux	< any	UNKNOWN
ubuntu	16.04	noarch	linux	< any	UNKNOWN
ubuntu	18.04	noarch	linux-aws	< any	UNKNOWN
ubuntu	20.04	noarch	linux-aws	< any	UNKNOWN
ubuntu	22.04	noarch	linux-aws	< any	UNKNOWN