{ "threat_severity" : "Moderate", "public_date" : "2024-05-01T00:00:00Z", "bugzilla" : { "description" : "kernel: TCP-spoofed ghost ACKs and leak leak initial sequence number", "id" : "2258875", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2258875" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ntcp: do not accept ACK of bytes we never sent\nThis patch is based on a detailed report and ideas from Yepeng Pan\nand Christian Rossow.\nACK seq validation is currently following RFC 5961 5.2 guidelines:\nThe ACK value is considered acceptable only if\nit is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=\nSND.NXT). All incoming segments whose ACK value doesn't satisfy the\nabove condition MUST be discarded and an ACK sent back. It needs to\nbe noted that RFC 793 on page 72 (fifth check) says: \"If the ACK is a\nduplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK\nacknowledges something not yet sent (SEG.ACK > SND.NXT) then send an\nACK, drop the segment, and return\". The \"ignored\" above implies that\nthe processing of the incoming data segment continues, which means\nthe ACK value is treated as acceptable. This mitigation makes the\nACK check more stringent since any ACK < SND.UNA wouldn't be\naccepted, instead only ACKs that are in the range ((SND.UNA -\nMAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.\nThis can be refined for new (and possibly spoofed) flows,\nby not accepting ACK for bytes that were never sent.\nThis greatly improves TCP security at a little cost.\nI added a Fixes: tag to make sure this patch will reach stable trees,\neven if the 'blamed' patch was adhering to the RFC.\ntp->bytes_acked was added in linux-4.2\nFollowing packetdrill test (courtesy of Yepeng Pan) shows\nthe issue at hand:\n0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3\n+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0\n+0 bind(3, ..., ...) = 0\n+0 listen(3, 1024) = 0\n// ---------------- Handshake ------------------- //\n// when window scale is set to 14 the window size can be extended to\n// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet\n// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)\n// ,though this ack number acknowledges some data never\n// sent by the server.\n+0 < S 0:0(0) win 65535 \n+0 > S. 0:0(0) ack 1 <...>\n+0 < . 1:1(0) ack 1 win 65535\n+0 accept(3, ..., ...) = 4\n// For the established connection, we send an ACK packet,\n// the ack packet uses ack number 1 - 1073725300 + 2^32,\n// where 2^32 is used to wrap around.\n// Note: we used 1073725300 instead of 1073725440 to avoid possible\n// edge cases.\n// 1 - 1073725300 + 2^32 = 3221241997\n// Oops, old kernels happily accept this packet.\n+0 < . 1:1001(1000) ack 3221241997 win 65535\n// After the kernel fix the following will be replaced by a challenge ACK,\n// and prior malicious frame would be dropped.\n+0 > . 1:1(0) ack 1001", "A flaw was found in the Linux kernel. Two TCP spoofing primitives exist where an attacker can brute force the server-chosen send window by acknowledging data that was never sent, called \"ghost ACKs.\" There are side channels that also allow the attacker to leak the otherwise secret server-chosen initial sequence number (ISN). One of these side channels leverages TCP SYN cookies." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-07-08T00:00:00Z", "advisory" : "RHSA-2024:4352", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.8.1.rt7.349.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-07-02T00:00:00Z", "advisory" : "RHSA-2024:4211", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.8.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2024-08-13T00:00:00Z", "advisory" : "RHSA-2024:5281", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.118.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2024-08-13T00:00:00Z", "advisory" : "RHSA-2024:5281", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.118.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2024-08-13T00:00:00Z", "advisory" : "RHSA-2024:5281", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.118.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2024-09-03T00:00:00Z", "advisory" : "RHSA-2024:6206", "cpe" : "cpe:/o:redhat:rhel_eus:8.8", "package" : "kernel-0:4.18.0-477.70.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-12-04T00:00:00Z", "advisory" : "RHSA-2024:10772", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "kernel-0:5.14.0-284.95.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-12-04T00:00:00Z", "advisory" : "RHSA-2024:10773", "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.95.1.rt14.380.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-52881\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52881\nhttps://lore.kernel.org/all/20231205161841.2702925-1-edumazet@google.com/\nhttps://lore.kernel.org/linux-cve-announce/2024052941-CVE-2023-52881-4283@gregkh/T/#u" ], "name" : "CVE-2023-52881", "csaw" : false }