CVE-2024-35960
CVE-2024-35960
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- None
- Integrity
- High
- Availability
- High
Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Properly link new fs rules into the tree Previously, add_rule_fg would only add newly created rules from the handle into the tree when they had a refcount of 1. On the other hand, create_flow_handle tries hard to find and reference already existing identical rules instead of creating new ones. These two behaviors can result in a situation where create_flow_handle 1) creates a new rule and references it, then 2) in a subsequent step during the same handle creation references it again, resulting in a rule with a refcount of 2 that is not linked into the tree, will have a NULL parent and root and will result in a crash when the flow group is deleted because del_sw_hw_rule, invoked on rule deletion, assumes node->parent is != NULL. This happened in the wild, due to another bug related to incorrect handling of duplicate pkt_reformat ids, which lead to the code in create_flow_handle incorrectly referencing a just-added rule in the same flow handle, resulting in the problem described above. Full details are at [1]. This patch changes add_rule_fg to add new rules without parents into the tree, properly initializing them and avoiding the crash. This makes it more consistent with how rules are added to an FTE in create_flow_handle.
Comprehensive Technical Analysis of CVE-2024-35960
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2024-35960 CVSS Score: 9.1
Severity Evaluation: The CVSS score of 9.1 indicates a critical vulnerability. This high score is likely due to the potential for system crashes and the complexity of the issue, which involves improper handling of flow rules in the Linux kernel. The vulnerability can lead to denial-of-service (DoS) conditions, making it a significant threat to system stability and availability.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Network-Based Attacks: An attacker could exploit this vulnerability by sending specially crafted network packets designed to trigger the flawed handling of flow rules.
- Local Exploitation: A local user with sufficient privileges could manipulate the system to create conditions that lead to the vulnerability being triggered.
Exploitation Methods:
- Crafted Network Traffic: By sending malformed packets, an attacker could induce the kernel to create and reference flow rules in a way that leads to a crash.
- Resource Exhaustion: An attacker could exploit the vulnerability to exhaust system resources, leading to a DoS condition.
3. Affected Systems and Software Versions
Affected Systems:
- Linux kernel versions prior to the patch that resolves CVE-2024-35960.
- Systems running network-intensive applications that rely on the
net/mlx5driver, such as high-performance computing clusters and data centers.
Software Versions:
- Specific kernel versions affected are not listed, but it is implied that any version prior to the patch release is vulnerable.
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Apply Patches: Ensure that the Linux kernel is updated to the latest version that includes the patch for CVE-2024-35960.
- Network Filtering: Implement network filters to block malformed packets that could trigger the vulnerability.
Long-Term Mitigation:
- Regular Updates: Maintain a regular update schedule for the Linux kernel and other critical software components.
- Monitoring: Implement monitoring tools to detect unusual network traffic patterns that could indicate an attempt to exploit this vulnerability.
5. Impact on Cybersecurity Landscape
Impact:
- System Stability: The vulnerability can lead to system crashes, affecting the availability and reliability of critical services.
- Exploitation Potential: The high CVSS score indicates a significant risk of exploitation, making it a priority for cybersecurity teams to address.
- Widespread Use: Given the widespread use of the Linux kernel, this vulnerability has the potential to impact a large number of systems globally.
6. Technical Details for Security Professionals
Technical Overview:
The vulnerability arises from inconsistent handling of flow rules in the net/mlx5 driver. Specifically, the add_rule_fg function only adds rules with a reference count of 1 to the tree, while create_flow_handle can create and reference rules multiple times, leading to rules with a reference count of 2 that are not properly linked into the tree. This results in a crash when the flow group is deleted because del_sw_hw_rule assumes node->parent is not NULL.
Patch Details:
The patch modifies add_rule_fg to add new rules without parents into the tree, properly initializing them and avoiding the crash. This makes the behavior more consistent with how rules are added to an FTE in create_flow_handle.
References:
- Patch 1
- Patch 2
- Patch 3
- Patch 4
- Patch 5
- Patch 6
- Patch 7
- Patch 8
- Debian LTS Announcement 1
- Debian LTS Announcement 2
Conclusion: CVE-2024-35960 is a critical vulnerability in the Linux kernel that requires immediate attention. Organizations should prioritize applying the necessary patches and implementing mitigation strategies to protect against potential exploitation. The high CVSS score underscores the urgency of addressing this issue to maintain system stability and security.