CVE-2023-52881

Updated:

Description:

In the Linux kernel, the following vulnerability has been resolved: tcp: do not accept ACK of bytes we never sent This patch is based on a detailed report and ideas from Yepeng Pan and Christian Rossow. ACK seq validation is currently following RFC 5961 5.2 guidelines: The ACK value is considered acceptable only if it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT). All incoming segments whose ACK value doesn't satisfy the above condition MUST be discarded and an ACK sent back. It needs to be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an ACK, drop the segment, and return". The "ignored" above implies that the processing of the incoming data segment continues, which means the ACK value is treated as acceptable. This mitigation makes the ACK check more stringent since any ACK < SND.UNA wouldn't be accepted, instead only ACKs that are in the range ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through. This can be refined for new (and possibly spoofed) flows, by not accepting ACK for bytes that were never sent. This greatly improves TCP security at a little cost. I added a Fixes: tag to make sure this patch will reach stable trees, even if the 'blamed' patch was adhering to the RFC. tp->bytes_acked was added in linux-4.2 Following packetdrill test (courtesy of Yepeng Pan) shows the issue at hand: 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +0 bind(3, ..., ...) = 0 +0 listen(3, 1024) = 0 // ---------------- Handshake ------------------- // // when window scale is set to 14 the window size can be extended to // 65535 * (2^14) = 1073725440. Linux would accept an ACK packet // with ack number in (Server_ISN+1-1073725440. Server_ISN+1) // ,though this ack number acknowledges some data never // sent by the server. +0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14> +0 > S. 0:0(0) ack 1 <...> +0 < . 1:1(0) ack 1 win 65535 +0 accept(3, ..., ...) = 4 // For the established connection, we send an ACK packet, // the ack packet uses ack number 1 - 1073725300 + 2^32, // where 2^32 is used to wrap around. // Note: we used 1073725300 instead of 1073725440 to avoid possible // edge cases. // 1 - 1073725300 + 2^32 = 3221241997 // Oops, old kernels happily accept this packet. +0 < . 1:1001(1000) ack 3221241997 win 65535 // After the kernel fix the following will be replaced by a challenge ACK, // and prior malicious frame would be dropped. +0 > . 1:1(0) ack 1001

CVSS3: 5.9


Vendor State

OS Vendor version Errata
Oracle Linux 6 UEK 4 4.1.12-124.89.4.el6uek ELSA-2024-12606
Oracle Linux 7 UEK 4 4.1.12-124.89.4.el7uek ELSA-2024-12606
RHEL 8 4.18.0-553.8.1.el8_10 RHSA-2024:4211
Oracle Linux 8 4.18.0-553.8.1.el8_10 ELSA-2024-4211
AlmaLinux 8 4.18.0-553.8.1.el8_10 ALSA-2024:4211
Rocky Linux 8 4.18.0-553.8.1.el8_10 RLSA-2024:4211
Amazon Linux 2 5.4 5.4.265-176.364.amzn2 ALASKERNEL-5.4-2024-057
Amazon Linux 2 5.10 5.10.205-195.804.amzn2 ALASKERNEL-5.10-2024-045
RHEL8 EUS 8.6 4.18.0-372.118.1.el8_6 RHSA-2024:5281

KernelCare State

OS Original kernel version State
Oracle Linux 6 UEK 4
Planned
Oracle Linux 7 UEK 4
Planned
RHEL 8
4.18.0-147.el8 show all hide all
4.18.0-80.11.1.el8_0 4.18.0-80.4.2.el8_0 4.18.0-80.11.2.el8_0 4.18.0-80.7.2.el8_0 4.18.0-80.7.1.el8_0 4.18.0-147.0.2.el8_1 4.18.0-80.1.2.el8_0 4.18.0-147.0.3.el8_1 4.18.0-80.el8 4.18.0-147.5.1.el8_1 4.18.0-147.3.1.el8_1 4.18.0-147.8.1.el8_1 4.18.0-193.el8 4.18.0-193.1.2.el8_2 4.18.0-193.6.3.el8_2 4.18.0-193.13.2.el8_2 4.18.0-193.14.3.el8_2 4.18.0-193.19.1.el8_2 4.18.0-193.28.1.el8_2 4.18.0-240.el8 4.18.0-240.1.1.el8_3 4.18.0-240.8.1.el8_3 4.18.0-240.10.1.el8_3 4.18.0-240.15.1.el8_3 4.18.0-240.22.1.el8_3 4.18.0-305.el8 4.18.0-304.el8 4.18.0-305.3.1.el8_4 4.18.0-305.7.1.el8_4 4.18.0-305.10.2.el8_4 4.18.0-305.12.1.el8_4 4.18.0-305.17.1.el8_4 4.18.0-305.19.1.el8_4 4.18.0-305.25.1.el8_4 4.18.0-348.el8 4.18.0-348.2.1.el8_5 4.18.0-348.7.1.el8_5 4.18.0-348.12.2.el8_5 4.18.0-348.20.1.el8_5 4.18.0-372.9.1.el8 4.18.0-348.23.1.el8_5 4.18.0-372.13.1.el8_6 4.18.0-372.16.1.el8_6 4.18.0-372.19.1.el8_6 4.18.0-372.26.1.el8_6 4.18.0-372.32.1.el8_6 4.18.0-425.3.1.el8 4.18.0-425.10.1.el8_7 4.18.0-425.13.1.el8_7 4.18.0-425.19.2.el8_7 4.18.0-477.10.1.el8_8 4.18.0-477.13.1.el8_8 4.18.0-477.15.1.el8_8 4.18.0-477.21.1.el8_8 4.18.0-477.27.1.el8_8 4.18.0-513.5.1.el8_9 4.18.0-513.9.1.el8_9 4.18.0-513.11.1.el8_9 4.18.0-513.18.1.el8_9 4.18.0-513.24.1.el8_9 4.18.0-553.el8_10 4.18.0-553.5.1.el8_10
Released
Oracle Linux 8
4.18.0-147.el8 show all hide all
4.18.0-80.11.1.el8_0 4.18.0-80.4.2.el8_0 4.18.0-147.5.1.el8_1 4.18.0-80.11.2.el8_0 4.18.0-80.7.2.el8_0 4.18.0-80.7.1.el8_0 4.18.0-147.0.2.el8_1 4.18.0-80.1.2.el8_0 4.18.0-147.0.3.el8_1 4.18.0-147.3.1.el8_1 4.18.0-80.el8 4.18.0-147.8.1.el8_1 4.18.0-193.1.2.el8_2 4.18.0-193.el8 4.18.0-193.6.3.el8_2 4.18.0-193.13.2.el8_2 4.18.0-193.14.3.el8_2 4.18.0-193.19.1.el8_2 4.18.0-193.28.1.el8_2 4.18.0-240.el8 4.18.0-240.1.1.el8_3 4.18.0-240.8.1.el8_3 4.18.0-240.10.1.el8_3 4.18.0-240.15.1.el8_3 4.18.0-240.22.1.el8_3 4.18.0-305.el8 4.18.0-305.3.1.el8_4 4.18.0-305.7.1.el8_4 4.18.0-305.10.2.el8_4 4.18.0-305.12.1.el8_4 4.18.0-305.17.1.el8_4 4.18.0-305.19.1.el8_4 4.18.0-305.25.1.el8_4 4.18.0-348.el8 4.18.0-348.2.1.el8_5 4.18.0-348.7.1.el8_5 4.18.0-348.12.2.el8_5 4.18.0-348.20.1.el8_5 4.18.0-348.23.1.el8_5 4.18.0-372.9.1.el8 4.18.0-372.13.1.0.1.el8_6 4.18.0-372.16.1.0.1.el8_6 4.18.0-372.19.1.0.1.el8_6 4.18.0-372.26.1.0.1.el8_6 4.18.0-372.32.1.0.1.el8_6 4.18.0-425.3.1.el8 4.18.0-425.10.1.el8_7 4.18.0-425.13.1.el8_7 4.18.0-425.19.2.el8_7 4.18.0-477.10.1.el8_8 4.18.0-477.13.1.el8_8 4.18.0-477.15.1.el8_8 4.18.0-477.21.1.el8_8 4.18.0-477.27.0.1.el8_8 4.18.0-477.27.1.el8_8 4.18.0-513.5.1.el8_9 4.18.0-513.9.1.el8_9 4.18.0-513.11.0.1.el8_9 4.18.0-513.18.0.1.el8_9 4.18.0-513.18.0.2.el8_9 4.18.0-513.18.1.el8_9 4.18.0-513.18.1.0.1.el8_9 4.18.0-513.24.1.el8_9 4.18.0-553.el8_10 4.18.0-553.5.1.el8_10
Released
CloudLinux OS 8
4.18.0-147.3.1.el8.lve.1 show all hide all
4.18.0-147.8.1.el8.lve 4.18.0-147.0.3.lve.el8 4.18.0-147.8.1.el8.lve.1 4.18.0-193.28.1.lve1.el8 4.18.0-305.lve.el8 4.18.0-305.7.1.lve.el8 4.18.0-305.10.2.lve.el8 4.18.0-305.10.2.2.lve.el8 4.18.0-305.12.1.lve.el8 4.18.0-305.17.1.lve.el8 4.18.0-305.19.1.lve.el8 4.18.0-348.lve.el8 4.18.0-348.7.1.lve.el8 4.18.0-348.12.2.lve.el8 4.18.0-348.20.1.lve.1.el8 4.18.0-348.20.1.lve.el8 4.18.0-348.23.1.lve.el8 4.18.0-372.9.1.1.lve.el8 4.18.0-372.16.1.lve.el8 4.18.0-372.9.1.lve.el8 4.18.0-372.19.1.lve.el8 4.18.0-372.13.1.lve.el8 4.18.0-372.26.1.lve.1.el8 4.18.0-372.32.1.lve.el8 4.18.0-425.3.1.lve.1.el8 4.18.0-425.3.1.lve.el8 4.18.0-425.3.1.lve.2.el8 4.18.0-425.3.1.lve.3.el8 4.18.0-425.10.1.lve.el8 4.18.0-425.13.1.lve.el8 4.18.0-425.19.2.lve.el8 4.18.0-477.10.1.lve.el8 4.18.0-477.13.1.lve.el8 4.18.0-477.15.1.lve.2.el8 4.18.0-477.13.1.lve.1.el8 4.18.0-477.21.1.lve.el8 4.18.0-477.21.1.lve.1.el8 4.18.0-477.27.1.lve.el8 4.18.0-477.27.2.lve.el8 4.18.0-513.5.1.lve.el8 4.18.0-513.9.1.lve.el8 4.18.0-513.11.1.lve.el8 4.18.0-513.18.1.lve.el8 4.18.0-513.18.1.lve.2.el8 4.18.0-513.18.1.lve.1.el8 4.18.0-513.24.1.lve.el8 4.18.0-513.24.1.lve.1.el8 4.18.0-553.lve.el8 4.18.0-513.24.1.lve.2.el8 4.18.0-553.5.1.lve.el8 4.18.0-544.lve.el8 4.18.0-553.5.1.lve.1.el8
Released
CloudLinux OS 7h
4.18.0-147.0.3.el7h.lve show all hide all
4.18.0-147.0.3.el7h 4.18.0-147.3.1.el7h.lve.1 4.18.0-147.8.1.el7h.lve 4.18.0-80.7.2.el7h 4.18.0-147.8.1.el7h.lve.1 4.18.0-193.28.1.lve1.el7h 4.18.0-305.lve.el7h 4.18.0-305.7.1.lve.el7h 4.18.0-305.10.2.lve.el7h 4.18.0-305.10.2.2.lve.el7h 4.18.0-305.12.1.lve.el7h 4.18.0-305.17.1.lve.el7h 4.18.0-305.19.1.lve.el7h 4.18.0-348.7.1.lve.el7h 4.18.0-348.12.2.lve.el7h 4.18.0-348.lve.el7h 4.18.0-348.12.2.lve.1.el7h 4.18.0-348.12.2.lve.2.el7h 4.18.0-348.20.1.lve.el7h 4.18.0-348.20.1.lve.1.el7h 4.18.0-348.23.1.lve.el7h 4.18.0-372.9.1.lve.el7h 4.18.0-372.13.1.lve.el7h 4.18.0-372.16.1.lve.el7h 4.18.0-372.19.1.lve.el7h 4.18.0-372.26.1.lve.1.el7h 4.18.0-372.32.1.lve.el7h 4.18.0-425.3.1.lve.el7h 4.18.0-425.3.1.lve.1.el7h 4.18.0-425.3.1.lve.2.el7h 4.18.0-425.3.1.lve.3.el7h 4.18.0-425.10.1.lve.el7h 4.18.0-425.13.1.lve.el7h 4.18.0-425.19.2.lve.el7h 4.18.0-477.10.1.lve.1.el7h 4.18.0-477.13.1.lve.el7h 4.18.0-477.15.1.lve.1.el7h 4.18.0-477.21.1.lve.el7h 4.18.0-477.13.1.lve.1.el7h 4.18.0-477.27.1.lve.el7h 4.18.0-477.15.1.lve.2.el7h 4.18.0-477.21.1.lve.1.el7h 4.18.0-513.5.1.lve.el7h 4.18.0-477.27.2.lve.el7h 4.18.0-513.9.1.lve.el7h 4.18.0-513.11.1.lve.el7h 4.18.0-513.18.1.lve.el7h 4.18.0-513.11.1.lve.1.el7h 4.18.0-513.18.1.lve.2.el7h 4.18.0-513.18.1.lve.1.el7h 4.18.0-513.24.1.lve.el7h 4.18.0-553.lve.el7h 4.18.0-513.24.1.lve.1.el7h 4.18.0-513.24.1.lve.2.el7h 4.18.0-553.5.1.lve.el7h 4.18.0-553.5.1.lve.1.el7h
Released
AlmaLinux 8
4.18.0-240.el8 show all hide all
4.18.0-240.15.1.el8_3 4.18.0-240.22.1.el8_3 4.18.0-305.el8 4.18.0-305.3.1.el8_4 4.18.0-305.7.1.el8_4 4.18.0-305.10.2.el8_4 4.18.0-305.12.1.el8_4 4.18.0-305.17.1.el8_4 4.18.0-305.19.1.el8_4 4.18.0-305.25.1.el8_4 4.18.0-348.el8 4.18.0-348.2.1.el8_5 4.18.0-348.7.1.el8_5 4.18.0-348.12.2.el8_5 4.18.0-348.20.1.el8_5 4.18.0-348.20.1.el8.fscrypt 4.18.0-348.23.1.el8_5 4.18.0-372.9.1.el8 4.18.0-372.13.1.el8_6 4.18.0-372.19.1.el8_6 4.18.0-372.16.1.el8_6 4.18.0-372.26.1.el8_6 4.18.0-372.32.1.el8_6 4.18.0-425.3.1.el8 4.18.0-425.10.1.el8_7 4.18.0-425.13.1.el8_7 4.18.0-425.19.2.el8_7 4.18.0-477.10.1.el8_8 4.18.0-477.13.1.el8_8 4.18.0-477.15.1.el8_8 4.18.0-477.21.1.el8_8 4.18.0-477.27.1.el8_8 4.18.0-513.5.1.el8_9 4.18.0-513.9.1.el8_9 4.18.0-477.27.2.el8_8 4.18.0-513.11.1.el8_9 4.18.0-513.18.1.el8_9 4.18.0-513.24.1.el8_9 4.18.0-513.18.2.el8_9 4.18.0-553.el8_10 4.18.0-553.5.1.el8_10
Released
Rocky Linux 8
4.18.0-305.3.1.el8_4 show all hide all
4.18.0-305.7.1.el8_4 4.18.0-305.10.2.el8_4 4.18.0-305.12.1.el8_4 4.18.0-305.17.1.el8_4 4.18.0-305.19.1.el8_4 4.18.0-305.25.1.el8_4 4.18.0-348.2.1.el8_5 4.18.0-348.12.2.el8_5 4.18.0-348.20.1.el8_5 4.18.0-348.7.1.el8_5 4.18.0-348.23.1.el8_5 4.18.0-372.9.1.el8 4.18.0-372.13.1.el8_6 4.18.0-372.19.1.el8_6 4.18.0-372.16.1.el8_6 4.18.0-372.16.1.el8_6.0.1 4.18.0-372.26.1.el8_6 4.18.0-372.32.1.el8_6 4.18.0-425.3.1.el8 4.18.0-425.10.1.el8_7 4.18.0-425.13.1.el8_7 4.18.0-425.19.2.el8_7 4.18.0-477.10.1.el8_8 4.18.0-477.13.1.el8_8 4.18.0-477.15.1.el8_8 4.18.0-477.27.1.el8_8 4.18.0-477.21.1.el8_8 4.18.0-513.5.1.el8_9 4.18.0-513.9.1.el8_9 4.18.0-513.11.1.el8_9 4.18.0-513.18.1.el8_9 4.18.0-513.11.1.el8_9.0.1 4.18.0-513.24.1.el8_9 4.18.0-553.el8_10 4.18.0-553.5.1.el8_10
Released
Amazon Linux 2 5.4
5.4.196-108.356.amzn2 show all hide all
5.4.188-104.359.amzn2 5.4.186-102.354.amzn2 5.4.181-99.354.amzn2 5.4.176-91.338.amzn2 5.4.172-90.336.amzn2 5.4.156-83.273.amzn2 5.4.162-86.275.amzn2 5.4.105-48.177.amzn2 5.4.117-58.216.amzn2 5.4.110-54.182.amzn2 5.4.209-116.367.amzn2 5.4.149-73.259.amzn2 5.4.190-107.353.amzn2 5.4.110-54.189.amzn2 5.4.217-126.408.amzn2 5.4.219-126.411.amzn2 5.4.226-129.415.amzn2 5.4.228-131.415.amzn2 5.4.231-137.341.amzn2 5.4.235-144.344.amzn2 5.4.257-170.359.amzn2 5.4.253-167.359.amzn2 5.4.250-166.369.amzn2 5.4.249-163.359.amzn2 5.4.247-161.349.amzn2 5.4.241-150.347.amzn2 5.4.242-156.349.amzn2 5.4.242-155.348.amzn2 5.4.254-169.358.amzn2 5.4.247-162.350.amzn2 5.4.258-171.360.amzn2 5.4.259-173.361.amzn2 5.4.228-132.418.amzn2 5.4.238-148.347.amzn2 5.4.242-159.350.amzn2 5.4.254-170.358.amzn2 5.4.261-174.360.amzn2
Released
Amazon Linux 2 5.10
Planned
RHEL8 EUS 8.6
4.18.0-372.51.1.el8_6 show all hide all
4.18.0-372.46.1.el8_6 4.18.0-372.41.1.el8_6 4.18.0-372.36.1.el8_6 4.18.0-372.52.1.el8_6 4.18.0-372.57.1.el8_6 4.18.0-372.64.1.el8_6 4.18.0-372.70.1.el8_6 4.18.0-372.75.1.el8_6 4.18.0-372.80.1.el8_6 4.18.0-372.87.1.el8_6 4.18.0-372.91.1.el8_6 4.18.0-372.93.1.el8_6 4.18.0-372.95.1.el8_6 4.18.0-372.98.1.el8_6 4.18.0-372.100.1.el8_6 4.18.0-372.102.1.el8_6 4.18.0-372.105.1.el8_6 4.18.0-372.107.1.el8_6 4.18.0-372.111.1.el8_6 4.18.0-372.113.1.el8_6 4.18.0-372.109.1.el8_6 4.18.0-372.115.1.el8_6
Released