CVE-2023-52628

Public on 2024-03-28
Modified on 2024-04-16
Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nftables: exthdr: fix 4-byte stack OOB write

If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.

This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.

The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.

Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).
Severity
Important severity
Important
CVSS v3 Base Score
7.0
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 kernel 2024-05-09 ALAS-2024-1937 Fixed
Amazon Linux 2 - Core kernel 2024-05-09 ALAS2-2024-2542 Fixed
Amazon Linux 2 - Kernel-5.10 Extra kernel 2023-10-31 ALAS2KERNEL-5.10-2023-042 Fixed
Amazon Linux 2 - Kernel-5.15 Extra kernel 2023-09-27 ALAS2KERNEL-5.15-2023-027 Fixed
Amazon Linux 2 - Kernel-5.4 Extra kernel 2024-05-23 ALAS2KERNEL-5.4-2024-069 Fixed
Amazon Linux 2023 kernel 2023-09-27 ALAS2023-2023-356 Fixed
Amazon Linux 2 - Livepatch Extra kernel-livepatch-4.14.336-257.562 2024-06-06 ALAS2LIVEPATCH-2024-170 Fixed
Amazon Linux 2 - Livepatch Extra kernel-livepatch-4.14.336-257.566 2024-06-06 ALAS2LIVEPATCH-2024-171 Fixed
Amazon Linux 2 - Livepatch Extra kernel-livepatch-4.14.336-257.568 2024-06-06 ALAS2LIVEPATCH-2024-172 Fixed
Amazon Linux 2 - Livepatch Extra kernel-livepatch-4.14.343-259.562 2024-06-19 ALAS2LIVEPATCH-2024-173 Fixed
Amazon Linux 2 - Livepatch Extra kernel-livepatch-4.14.343-260.564 2024-06-19 ALAS2LIVEPATCH-2024-174 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2023-52628 Mitre: CVE-2023-52628