CVE-2024-27418 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: net: mctp: take ownership of skb in mctp_local_output Currently, mctp_local_output only takes ownership of skb on success, and we may leak an skb if mctp_local_output fails in specific states; the skb ownership isn't transferred until the actual output routing occurs. Instead, make mctp_local_output free the skb on all error paths up to the route action, so it always consumes the passed skb.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/3773d65ae5154ed7df404b050fd7387a36ab5ef3
https://git.kernel.org/stable/c/a3c8fa54e904b0ddb52a08cc2d8ac239054f61fd
https://git.kernel.org/stable/c/a639441c880ac479495e5ab37e3c29f21ae5771b
https://git.kernel.org/stable/c/cbebc55ceacef1fc0651e80e0103cc184552fc68
https://lore.kernel.org/linux-cve-announce/2024051703-CVE-2024-27418-3cda@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-27418
https://www.cve.org/CVERecord?id=CVE-2024-27418

History

Thu, 19 Sep 2024 10:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-131

Thu, 12 Sep 2024 08:30:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-17T11:51:11.270Z

Updated: 2024-09-11T17:33:24.616Z

Reserved: 2024-02-25T13:47:42.683Z

Link: CVE-2024-27418

Vulnrichment

Updated: 2024-08-02T00:34:52.204Z

NVD

Status : Awaiting Analysis

Published: 2024-05-17T12:15:13.520

Modified: 2024-05-17T18:35:35.070

Link: CVE-2024-27418

Redhat

Severity : Moderate

Publid Date: 2024-05-17T00:00:00Z

Links: CVE-2024-27418 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27418", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-25T13:47:42.683Z", "datePublished": "2024-05-17T11:51:11.270Z", "dateUpdated": "2024-09-11T17:33:24.616Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:28:45.365Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: take ownership of skb in mctp_local_output\n\nCurrently, mctp_local_output only takes ownership of skb on success, and\nwe may leak an skb if mctp_local_output fails in specific states; the\nskb ownership isn't transferred until the actual output routing occurs.\n\nInstead, make mctp_local_output free the skb on all error paths up to\nthe route action, so it always consumes the passed skb."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/mctp.h", "net/mctp/route.c"], "versions": [{"version": "833ef3b91de6", "lessThan": "a3c8fa54e904", "status": "affected", "versionType": "git"}, {"version": "833ef3b91de6", "lessThan": "cbebc55ceace", "status": "affected", "versionType": "git"}, {"version": "833ef3b91de6", "lessThan": "a639441c880a", "status": "affected", "versionType": "git"}, {"version": "833ef3b91de6", "lessThan": "3773d65ae515", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/mctp.h", "net/mctp/route.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "custom"}, {"version": "6.1.81", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.21", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.7.9", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/a3c8fa54e904b0ddb52a08cc2d8ac239054f61fd"}, {"url": "https://git.kernel.org/stable/c/cbebc55ceacef1fc0651e80e0103cc184552fc68"}, {"url": "https://git.kernel.org/stable/c/a639441c880ac479495e5ab37e3c29f21ae5771b"}, {"url": "https://git.kernel.org/stable/c/3773d65ae5154ed7df404b050fd7387a36ab5ef3"}], "title": "net: mctp: take ownership of skb in mctp_local_output", "x_generator": {"engine": "bippy-a5840b7849dd"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:34:52.204Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/a3c8fa54e904b0ddb52a08cc2d8ac239054f61fd", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/cbebc55ceacef1fc0651e80e0103cc184552fc68", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a639441c880ac479495e5ab37e3c29f21ae5771b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3773d65ae5154ed7df404b050fd7387a36ab5ef3", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27418", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:43:03.788972Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:24.616Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/a3c8fa54e904b0ddb52a08cc2d8ac239054f61fd", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/cbebc55ceacef1fc0651e80e0103cc184552fc68", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a639441c880ac479495e5ab37e3c29f21ae5771b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3773d65ae5154ed7df404b050fd7387a36ab5ef3", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:34:52.204Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27418", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:43:03.788972Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:16.549Z"}}], "cna": {"title": "net: mctp: take ownership of skb in mctp_local_output", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "833ef3b91de6", "lessThan": "a3c8fa54e904", "versionType": "git"}, {"status": "affected", "version": "833ef3b91de6", "lessThan": "cbebc55ceace", "versionType": "git"}, {"status": "affected", "version": "833ef3b91de6", "lessThan": "a639441c880a", "versionType": "git"}, {"status": "affected", "version": "833ef3b91de6", "lessThan": "3773d65ae515", "versionType": "git"}], "programFiles": ["include/net/mctp.h", "net/mctp/route.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.15"}, {"status": "unaffected", "version": "0", "lessThan": "5.15", "versionType": "custom"}, {"status": "unaffected", "version": "6.1.81", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.21", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.9", "versionType": "custom", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["include/net/mctp.h", "net/mctp/route.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/a3c8fa54e904b0ddb52a08cc2d8ac239054f61fd"}, {"url": "https://git.kernel.org/stable/c/cbebc55ceacef1fc0651e80e0103cc184552fc68"}, {"url": "https://git.kernel.org/stable/c/a639441c880ac479495e5ab37e3c29f21ae5771b"}, {"url": "https://git.kernel.org/stable/c/3773d65ae5154ed7df404b050fd7387a36ab5ef3"}], "x_generator": {"engine": "bippy-a5840b7849dd"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: take ownership of skb in mctp_local_output\n\nCurrently, mctp_local_output only takes ownership of skb on success, and\nwe may leak an skb if mctp_local_output fails in specific states; the\nskb ownership isn't transferred until the actual output routing occurs.\n\nInstead, make mctp_local_output free the skb on all error paths up to\nthe route action, so it always consumes the passed skb."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:28:45.365Z"}}}, "cveMetadata": {"cveId": "CVE-2024-27418", "state": "PUBLISHED", "dateUpdated": "2024-09-11T17:33:24.616Z", "dateReserved": "2024-02-25T13:47:42.683Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-17T11:51:11.270Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"bugzilla": {"description": "kernel: net: mctp: take ownership of skb in mctp_local_output", "id": "2281095", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2281095"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-131", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet: mctp: take ownership of skb in mctp_local_output\nCurrently, mctp_local_output only takes ownership of skb on success, and\nwe may leak an skb if mctp_local_output fails in specific states; the\nskb ownership isn't transferred until the actual output routing occurs.\nInstead, make mctp_local_output free the skb on all error paths up to\nthe route action, so it always consumes the passed skb.", "A vulnerability was found in the Linux kernel's Management Component Transport Protocol (MCTP) networking subsystem. This issue occurs in `mctp_local_output`, where improper handling of the socket buffer (`skb`) could lead to security vulnerabilities."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-27418", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-27418\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-27418\nhttps://lore.kernel.org/linux-cve-announce/2024051703-CVE-2024-27418-3cda@gregkh/T"], "statement": "Red Hat Enterprise Linux is not vulnerable to this CVE, as it does not affect the versions or configurations of the Linux kernel used in its distributions.", "threat_severity": "Moderate", "upstream_fix": "kernel 6.1.81, kernel 6.6.21, kernel 6.7.9, kernel 6.8"}