CVE-2024-49940

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-49940
In the Linux kernel, the following vulnerability has been resolved: l2tp: prevent possible tunnel refcount underflow When a session is created, it sets a backpointer to its tunnel. When the session refcount drops to 0, l2tp_session_free drops the tunnel refcount if session->tunnel is non-NULL. However, session->tunnel is set in l2tp_session_create, before the tunnel refcount is incremented by l2tp_session_register, which leaves a small window where session->tunnel is non-NULL when the tunnel refcount hasn't been bumped. Moving the assignment to l2tp_session_register is trivial but l2tp_session_create calls l2tp_session_set_header_len which uses session->tunnel to get the tunnel's encap. Add an encap arg to l2tp_session_set_header_len to avoid using session->tunnel. If l2tpv3 sessions have colliding IDs, it is possible for l2tp_v3_session_get to race with l2tp_session_register and fetch a session which doesn't yet have session->tunnel set. Add a check for this case.

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/24256415d18695b46da06c93135f5b51c548b950 Patch
https://git.kernel.org/stable/c/f7415e60c25a6108cd7955a20b2e66b6251ffe02 Patch
Configurations

Configuration 1 (hide)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
History

13 Nov 2024, 13:26

Type Values Removed Values Added
CWE NVD-CWE-noinfo
First Time Linux linux Kernel
Linux
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
References () https://git.kernel.org/stable/c/24256415d18695b46da06c93135f5b51c548b950 - () https://git.kernel.org/stable/c/24256415d18695b46da06c93135f5b51c548b950 - Patch
References () https://git.kernel.org/stable/c/f7415e60c25a6108cd7955a20b2e66b6251ffe02 - () https://git.kernel.org/stable/c/f7415e60c25a6108cd7955a20b2e66b6251ffe02 - Patch

23 Oct 2024, 15:13

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: l2tp: evitar un posible desbordamiento del recuento de referencias del túnel Cuando se crea una sesión, establece un puntero hacia atrás a su túnel. Cuando el recuento de referencias de la sesión cae a 0, l2tp_session_free descarta el recuento de referencias del túnel si session->tunnel no es NULL. Sin embargo, session->tunnel se establece en l2tp_session_create, antes de que el recuento de referencias del túnel se incremente mediante l2tp_session_register, lo que deja una pequeña ventana donde session->tunnel no es NULL cuando el recuento de referencias del túnel no se ha incrementado. Mover la asignación a l2tp_session_register es trivial, pero l2tp_session_create llama a l2tp_session_set_header_len, que usa session->tunnel para obtener el encap del túnel. Agregue un argumento de encap a l2tp_session_set_header_len para evitar usar session->tunnel. Si las sesiones l2tpv3 tienen identificadores en conflicto, es posible que l2tp_v3_session_get compita con l2tp_session_register y obtenga una sesión que aún no tenga configurado session->tunnel. Agregue una verificación para este caso.

21 Oct 2024, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-10-21 18:15

Updated : 2024-11-13 13:26

NVD link : CVE-2024-49940

Mitre link : CVE-2024-49940

CVE.ORG link : CVE-2024-49940

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
NVD-CWE-noinfo

NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024