CVE-2024-47685

9.1

Critical

Published:21 Oct 2024

Last updated:17 Jun 2026

Source:416baaa9-dc9f-4396-8d5f-8c081fb06d67

Modified

Weakness (CWE)

CWE-908CWE-908

CVSS Vector

v3.1

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: None
Availability: High

View on MITRE Find PoC on GitHub

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending garbage on the four reserved tcp bits (th->res1) Use skb_put_zero() to clear the whole TCP header, as done in nf_reject_ip_tcphdr_put() BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 process_backlog+0x4ad/0xa50 net/core/dev.c:6108 __napi_poll+0xe7/0x980 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 __do_softirq+0x14/0x1a kernel/softirq.c:588 do_softirq+0x9a/0x100 kernel/softirq.c:455 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline] __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450 dev_queue_xmit include/linux/netdevice.h:3105 [inline] neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366 inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135 __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143 tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333 __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679 inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750 __sys_connect_file net/socket.c:2061 [inline] __sys_connect+0x606/0x690 net/socket.c:2078 __do_sys_connect net/socket.c:2088 [inline] __se_sys_connect net/socket.c:2085 [inline] __x64_sys_connect+0x91/0xe0 net/socket.c:2085 x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core ---truncated---

Comprehensive Technical Analysis of CVE-2024-47685

1. Vulnerability Assessment and Severity Evaluation

CVE-2024-47685 pertains to a vulnerability in the Linux kernel's netfilter subsystem, specifically within the nf_reject_ip6_tcphdr_put() function. The issue arises from the potential transmission of uninitialized data in the reserved TCP bits (th->res1) of the TCP header during IPv6 packet rejection. This uninitialized data can lead to unpredictable behavior and potential security risks.

Severity Evaluation:

CVSS Score: 9.1
Impact: High
Exploitability: Medium to High

The high CVSS score indicates a critical vulnerability that could be exploited to compromise the integrity and availability of affected systems.

2. Potential Attack Vectors and Exploitation Methods

Attack Vectors:

Network-Based Attacks: An attacker could craft malicious IPv6 packets designed to trigger the vulnerability in the nf_reject_ip6_tcphdr_put() function.
Denial of Service (DoS): Exploiting this vulnerability could lead to system crashes or unresponsiveness, effectively causing a DoS condition.
Information Leakage: The uninitialized data in the TCP header could potentially leak sensitive information, although this is less likely given the nature of the data.

Exploitation Methods:

Crafted Packets: Attackers can use tools like Scapy or custom scripts to generate specially crafted IPv6 packets that exploit the vulnerability.
Automated Exploits: Once the vulnerability is widely known, automated exploit scripts could be developed and distributed, increasing the risk of widespread attacks.

3. Affected Systems and Software Versions

Affected Systems:

Linux kernel versions prior to the patch release.
Systems running IPv6 and utilizing netfilter for packet filtering.

Software Versions:

Specific kernel versions affected can be identified by reviewing the patch references provided. It is crucial to check the kernel version against the published patches to determine vulnerability status.

4. Recommended Mitigation Strategies

Immediate Actions:

Apply Patches: Upgrade to the latest kernel version that includes the fix for CVE-2024-47685.
Temporary Workarounds: If immediate patching is not possible, consider disabling IPv6 or applying firewall rules to limit exposure.

Long-Term Strategies:

Regular Updates: Ensure that systems are regularly updated with the latest security patches.
Network Monitoring: Implement robust network monitoring to detect and respond to unusual IPv6 traffic patterns.
Intrusion Detection Systems (IDS): Deploy IDS to identify and alert on potential exploitation attempts.

5. Impact on Cybersecurity Landscape

Immediate Impact:

Increased Risk: Systems running vulnerable kernel versions are at increased risk of DoS attacks and potential information leakage.
Exploit Development: The public disclosure of this vulnerability may lead to the rapid development of exploits, increasing the urgency for patching.

Long-Term Impact:

Enhanced Security Practices: This vulnerability highlights the importance of regular patching and proactive security measures.
Kernel Hardening: Future kernel development may focus on hardening against similar vulnerabilities, improving overall security.

6. Technical Details for Security Professionals

Vulnerability Details:

Function Affected: nf_reject_ip6_tcphdr_put()
Issue: Uninitialized data in the reserved TCP bits (th->res1) during IPv6 packet rejection.
Fix: Use skb_put_zero() to clear the entire TCP header, similar to the approach in nf_reject_ip_tcphdr_put().

Code Analysis:

Bug Report: KMSAN reported an uninitialized value in nf_reject_ip6_tcphdr_put().
Patch: The patch modifies the function to ensure the TCP header is properly zeroed out, preventing the transmission of uninitialized data.

References:

Patch Links:
- Patch 1
- Patch 2
- Additional patches can be reviewed for detailed changes.

Conclusion: CVE-2024-47685 represents a significant vulnerability in the Linux kernel's netfilter subsystem, particularly affecting IPv6 packet handling. Immediate patching and proactive security measures are essential to mitigate the risks associated with this vulnerability. Security professionals should prioritize updating affected systems and implementing robust monitoring and detection mechanisms to safeguard against potential exploitation.