Re: CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets

[Jacob Bachmeyer <jcb62281 () gmail com>]

On 10/29/24 08:03, Joel GUITTET wrote:
> We would like to ask your advice about the CVE-2024-36905 (tcp shutdown vulnerability).
> NIST indicates a network vector while AWS and Red Hat indicates local attack vector.
> Our cybersecurity team has difficulties to justify that a local vector is appropriate here.
> Can you help us to understand this specific point for this CVE ? The hypothesis we have is that a TCP socket need to be 
> open/closed quickly, and maybe it's not possible remotely ?

From my understanding of Git commit 
94062790aedb505bdda209b10bea47b294d6394f 
(<URL:https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=94062790aedb505bdda209b10bea47b294d6394f>), 
this appears to be a race condition where a program (running locally) 
calls connect(2) and then shutdown(2) without actually attempting to 
transfer any data, with a further constraint that certain packets (I am 
unsure precisely what) must have been transferred such that the TCP 
connection is half-opened.  It *might* be possible to cause this crash 
remotely if a program attempts to set up a unidirectional TCP connection 
(achieved by shutting down the undesired direction) but I am unsure if 
any such programs are actually in use.

I would need to further study the Linux networking code to be sure, but 
a comment updated in the patch seems to imply that this is an edge case 
that was previously believed to be impossible to reach.  I suspect NIST 
labeled it "network" because TCP is involved, but as of this writing 
<URL:https://nvd.nist.gov/vuln/detail/CVE-2024-36905> says "This 
vulnerability is currently awaiting analysis." so I would expect NIST's 
indication to be revised after that analysis is completed.

Again, this issue is probably only remotely exploitable if the host is 
running a very unusual client program, but a local exploit can supply 
the required oddly-behaving program.


-- Jacob