{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47678", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-09-30T16:00:12.939Z", "datePublished": "2024-10-21T11:53:21.814Z", "dateUpdated": "2024-12-19T09:25:44.135Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T09:25:44.135Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: change the order of rate limits\n\nICMP messages are ratelimited :\n\nAfter the blamed commits, the two rate limiters are applied in this order:\n\n1) host wide ratelimit (icmp_global_allow())\n\n2) Per destination ratelimit (inetpeer based)\n\nIn order to avoid side-channels attacks, we need to apply\nthe per destination check first.\n\nThis patch makes the following change :\n\n1) icmp_global_allow() checks if the host wide limit is reached.\n   But credits are not yet consumed. This is deferred to 3)\n\n2) The per destination limit is checked/updated.\n   This might add a new node in inetpeer tree.\n\n3) icmp_global_consume() consumes tokens if prior operations succeeded.\n\nThis means that host wide ratelimit is still effective\nin keeping inetpeer tree small even under DDOS.\n\nAs a bonus, I removed icmp_global.lock as the fast path\ncan use a lock-free operation."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/ip.h", "net/ipv4/icmp.c", "net/ipv6/icmp.c"], "versions": [{"version": "4cdf507d54525842dfd9f6313fdafba039084046", "lessThan": "997ba8889611891f91e8ad83583466aeab6239a3", "status": "affected", "versionType": "git"}, {"version": "4cdf507d54525842dfd9f6313fdafba039084046", "lessThan": "662ec52260cc07b9ae53ecd3925183c29d34288b", "status": "affected", "versionType": "git"}, {"version": "4cdf507d54525842dfd9f6313fdafba039084046", "lessThan": "a7722921adb046e3836eb84372241f32584bdb07", "status": "affected", "versionType": "git"}, {"version": "4cdf507d54525842dfd9f6313fdafba039084046", "lessThan": "483397b4ba280813e4a9c161a0a85172ddb43d19", "status": "affected", "versionType": "git"}, {"version": "4cdf507d54525842dfd9f6313fdafba039084046", "lessThan": "8c2bd38b95f75f3d2a08c93e35303e26d480d24e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/ip.h", "net/ipv4/icmp.c", "net/ipv6/icmp.c"], "versions": [{"version": "3.18", "status": "affected"}, {"version": "0", "lessThan": "3.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.113", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.54", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10.13", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.2", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/997ba8889611891f91e8ad83583466aeab6239a3"}, {"url": "https://git.kernel.org/stable/c/662ec52260cc07b9ae53ecd3925183c29d34288b"}, {"url": "https://git.kernel.org/stable/c/a7722921adb046e3836eb84372241f32584bdb07"}, {"url": "https://git.kernel.org/stable/c/483397b4ba280813e4a9c161a0a85172ddb43d19"}, {"url": "https://git.kernel.org/stable/c/8c2bd38b95f75f3d2a08c93e35303e26d480d24e"}], "title": "icmp: change the order of rate limits", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47678", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-21T13:07:41.965400Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-21T13:14:17.106Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47678", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-21T13:07:41.965400Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-21T13:07:45.359Z"}}], "cna": {"title": "icmp: change the order of rate limits", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4cdf507d54525842dfd9f6313fdafba039084046", "lessThan": "997ba8889611891f91e8ad83583466aeab6239a3", "versionType": "git"}, {"status": "affected", "version": "4cdf507d54525842dfd9f6313fdafba039084046", "lessThan": "662ec52260cc07b9ae53ecd3925183c29d34288b", "versionType": "git"}, {"status": "affected", "version": "4cdf507d54525842dfd9f6313fdafba039084046", "lessThan": "a7722921adb046e3836eb84372241f32584bdb07", "versionType": "git"}, {"status": "affected", "version": "4cdf507d54525842dfd9f6313fdafba039084046", "lessThan": "483397b4ba280813e4a9c161a0a85172ddb43d19", "versionType": "git"}, {"status": "affected", "version": "4cdf507d54525842dfd9f6313fdafba039084046", "lessThan": "8c2bd38b95f75f3d2a08c93e35303e26d480d24e", "versionType": "git"}], "programFiles": ["include/net/ip.h", "net/ipv4/icmp.c", "net/ipv6/icmp.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "3.18"}, {"status": "unaffected", "version": "0", "lessThan": "3.18", "versionType": "semver"}, {"status": "unaffected", "version": "6.1.113", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.54", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.10.13", "versionType": "semver", "lessThanOrEqual": "6.10.*"}, {"status": "unaffected", "version": "6.11.2", "versionType": "semver", "lessThanOrEqual": "6.11.*"}, {"status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["include/net/ip.h", "net/ipv4/icmp.c", "net/ipv6/icmp.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/997ba8889611891f91e8ad83583466aeab6239a3"}, {"url": "https://git.kernel.org/stable/c/662ec52260cc07b9ae53ecd3925183c29d34288b"}, {"url": "https://git.kernel.org/stable/c/a7722921adb046e3836eb84372241f32584bdb07"}, {"url": "https://git.kernel.org/stable/c/483397b4ba280813e4a9c161a0a85172ddb43d19"}, {"url": "https://git.kernel.org/stable/c/8c2bd38b95f75f3d2a08c93e35303e26d480d24e"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: change the order of rate limits\n\nICMP messages are ratelimited :\n\nAfter the blamed commits, the two rate limiters are applied in this order:\n\n1) host wide ratelimit (icmp_global_allow())\n\n2) Per destination ratelimit (inetpeer based)\n\nIn order to avoid side-channels attacks, we need to apply\nthe per destination check first.\n\nThis patch makes the following change :\n\n1) icmp_global_allow() checks if the host wide limit is reached.\n   But credits are not yet consumed. This is deferred to 3)\n\n2) The per destination limit is checked/updated.\n   This might add a new node in inetpeer tree.\n\n3) icmp_global_consume() consumes tokens if prior operations succeeded.\n\nThis means that host wide ratelimit is still effective\nin keeping inetpeer tree small even under DDOS.\n\nAs a bonus, I removed icmp_global.lock as the fast path\ncan use a lock-free operation."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T09:25:44.135Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47678", "state": "PUBLISHED", "dateUpdated": "2024-12-19T09:25:44.135Z", "dateReserved": "2024-09-30T16:00:12.939Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-10-21T11:53:21.814Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FBD751AA-4593-4525-B2FB-57EAC7F81608", "versionEndExcluding": "6.1.113", "versionStartIncluding": "3.18", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D448821D-C085-4CAF-88FA-2DDE7BE21976", "versionEndExcluding": "6.6.54", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE94BB8D-B0AB-4563-9ED7-A12122B56EBE", "versionEndExcluding": "6.10.13", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB755D26-97F4-43B6-8604-CD076811E181", "versionEndExcluding": "6.11.2", "versionStartIncluding": "6.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: change the order of rate limits\n\nICMP messages are ratelimited :\n\nAfter the blamed commits, the two rate limiters are applied in this order:\n\n1) host wide ratelimit (icmp_global_allow())\n\n2) Per destination ratelimit (inetpeer based)\n\nIn order to avoid side-channels attacks, we need to apply\nthe per destination check first.\n\nThis patch makes the following change :\n\n1) icmp_global_allow() checks if the host wide limit is reached.\n   But credits are not yet consumed. This is deferred to 3)\n\n2) The per destination limit is checked/updated.\n   This might add a new node in inetpeer tree.\n\n3) icmp_global_consume() consumes tokens if prior operations succeeded.\n\nThis means that host wide ratelimit is still effective\nin keeping inetpeer tree small even under DDOS.\n\nAs a bonus, I removed icmp_global.lock as the fast path\ncan use a lock-free operation."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: icmp: cambia el orden de los l\u00edmites de velocidad Los mensajes ICMP est\u00e1n limitados por velocidad: despu\u00e9s de las confirmaciones culpables, se aplican los dos limitadores de velocidad en este orden: 1) l\u00edmite de velocidad de todo el host (icmp_global_allow()) 2) l\u00edmite de velocidad por destino (basado en inetpeer) Para evitar ataques de canales secundarios, primero debemos aplicar la comprobaci\u00f3n por destino. Este parche realiza el siguiente cambio: 1) icmp_global_allow() comprueba si se ha alcanzado el l\u00edmite de todo el host. Pero a\u00fan no se han consumido los cr\u00e9ditos. Esto se pospone a 3) 2) Se comprueba/actualiza el l\u00edmite por destino. Esto podr\u00eda agregar un nuevo nodo en el \u00e1rbol inetpeer. 3) icmp_global_consume() consume tokens si las operaciones anteriores tuvieron \u00e9xito. Esto significa que el l\u00edmite de velocidad de todo el host sigue siendo eficaz para mantener peque\u00f1o el \u00e1rbol inetpeer incluso bajo DDOS. Como beneficio adicional, elimin\u00e9 icmp_global.lock ya que la ruta r\u00e1pida puede usar una operaci\u00f3n sin bloqueo."}], "id": "CVE-2024-47678", "lastModified": "2024-10-23T17:58:08.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-10-21T12:15:04.837", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/483397b4ba280813e4a9c161a0a85172ddb43d19"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/662ec52260cc07b9ae53ecd3925183c29d34288b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8c2bd38b95f75f3d2a08c93e35303e26d480d24e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/997ba8889611891f91e8ad83583466aeab6239a3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a7722921adb046e3836eb84372241f32584bdb07"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: icmp: change the order of rate limits", "id": "2320212", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2320212"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-203", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nicmp: change the order of rate limits\nICMP messages are ratelimited :\nAfter the blamed commits, the two rate limiters are applied in this order:\n1) host wide ratelimit (icmp_global_allow())\n2) Per destination ratelimit (inetpeer based)\nIn order to avoid side-channels attacks, we need to apply\nthe per destination check first.\nThis patch makes the following change :\n1) icmp_global_allow() checks if the host wide limit is reached.\nBut credits are not yet consumed. This is deferred to 3)\n2) The per destination limit is checked/updated.\nThis might add a new node in inetpeer tree.\n3) icmp_global_consume() consumes tokens if prior operations succeeded.\nThis means that host wide ratelimit is still effective\nin keeping inetpeer tree small even under DDOS.\nAs a bonus, I removed icmp_global.lock as the fast path\ncan use a lock-free operation.", "A flaw was found in the Linux kernel related to the order of rate limits for ICMP messages. The sequence in which rate limiters are applied potentially allows a side-channel attack, resulting in information disclosure."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-47678", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-10-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-47678\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47678\nhttps://lore.kernel.org/linux-cve-announce/2024102106-CVE-2024-47678-0b1b@gregkh/T"], "threat_severity": "Moderate"}