CVE-2024-47678

In the Linux kernel, the following vulnerability has been resolved: icmp: change the order of rate limits ICMP messages are ratelimited : After the blamed commits, the two rate limiters are applied in this order: 1) host wide ratelimit (icmp_global_allow()) 2) Per destination ratelimit (inetpeer based) In order to avoid side-channels attacks, we need to apply the per destination check first. This patch makes the following change : 1) icmp_global_allow() checks if the host wide limit is reached. But credits are not yet consumed. This is deferred to 3) 2) The per destination limit is checked/updated. This might add a new node in inetpeer tree. 3) icmp_global_consume() consumes tokens if prior operations succeeded. This means that host wide ratelimit is still effective in keeping inetpeer tree small even under DDOS. As a bonus, I removed icmp_global.lock as the fast path can use a lock-free operation.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/483397b4ba280813e4a9c161a0a85172ddb43d19	Patch
https://git.kernel.org/stable/c/662ec52260cc07b9ae53ecd3925183c29d34288b	Patch
https://git.kernel.org/stable/c/8c2bd38b95f75f3d2a08c93e35303e26d480d24e	Patch
https://git.kernel.org/stable/c/997ba8889611891f91e8ad83583466aeab6239a3	Patch
https://git.kernel.org/stable/c/a7722921adb046e3836eb84372241f32584bdb07	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

No history.

Information

Published : 2024-10-21 12:15

Updated : 2024-10-23 17:58

NVD link : CVE-2024-47678

Mitre link : CVE-2024-47678

CVE.ORG link : CVE-2024-47678

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-203

Observable Discrepancy

{"id": "CVE-2024-47678", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-10-21T12:15:04.837", "references": [{"url": "https://git.kernel.org/stable/c/483397b4ba280813e4a9c161a0a85172ddb43d19", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/662ec52260cc07b9ae53ecd3925183c29d34288b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8c2bd38b95f75f3d2a08c93e35303e26d480d24e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/997ba8889611891f91e8ad83583466aeab6239a3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a7722921adb046e3836eb84372241f32584bdb07", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-203"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: change the order of rate limits\n\nICMP messages are ratelimited :\n\nAfter the blamed commits, the two rate limiters are applied in this order:\n\n1) host wide ratelimit (icmp_global_allow())\n\n2) Per destination ratelimit (inetpeer based)\n\nIn order to avoid side-channels attacks, we need to apply\nthe per destination check first.\n\nThis patch makes the following change :\n\n1) icmp_global_allow() checks if the host wide limit is reached.\n But credits are not yet consumed. This is deferred to 3)\n\n2) The per destination limit is checked/updated.\n This might add a new node in inetpeer tree.\n\n3) icmp_global_consume() consumes tokens if prior operations succeeded.\n\nThis means that host wide ratelimit is still effective\nin keeping inetpeer tree small even under DDOS.\n\nAs a bonus, I removed icmp_global.lock as the fast path\ncan use a lock-free operation."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: icmp: cambia el orden de los l\u00edmites de velocidad Los mensajes ICMP est\u00e1n limitados por velocidad: despu\u00e9s de las confirmaciones culpables, se aplican los dos limitadores de velocidad en este orden: 1) l\u00edmite de velocidad de todo el host (icmp_global_allow()) 2) l\u00edmite de velocidad por destino (basado en inetpeer) Para evitar ataques de canales secundarios, primero debemos aplicar la comprobaci\u00f3n por destino. Este parche realiza el siguiente cambio: 1) icmp_global_allow() comprueba si se ha alcanzado el l\u00edmite de todo el host. Pero a\u00fan no se han consumido los cr\u00e9ditos. Esto se pospone a 3) 2) Se comprueba/actualiza el l\u00edmite por destino. Esto podr\u00eda agregar un nuevo nodo en el \u00e1rbol inetpeer. 3) icmp_global_consume() consume tokens si las operaciones anteriores tuvieron \u00e9xito. Esto significa que el l\u00edmite de velocidad de todo el host sigue siendo eficaz para mantener peque\u00f1o el \u00e1rbol inetpeer incluso bajo DDOS. Como beneficio adicional, elimin\u00e9 icmp_global.lock ya que la ruta r\u00e1pida puede usar una operaci\u00f3n sin bloqueo."}], "lastModified": "2024-10-23T17:58:08.720", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FBD751AA-4593-4525-B2FB-57EAC7F81608", "versionEndExcluding": "6.1.113", "versionStartIncluding": "3.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D448821D-C085-4CAF-88FA-2DDE7BE21976", "versionEndExcluding": "6.6.54", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CE94BB8D-B0AB-4563-9ED7-A12122B56EBE", "versionEndExcluding": "6.10.13", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AB755D26-97F4-43B6-8604-CD076811E181", "versionEndExcluding": "6.11.2", "versionStartIncluding": "6.11"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}