CVE-2024-47659: smack: tcp: ipv4, fix incorrect labeling
First published: Wed Oct 09 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: smack: tcp: ipv4, fix incorrect labeling Currently, Smack mirrors the label of incoming tcp/ipv4 connections: when a label 'foo' connects to a label 'bar' with tcp/ipv4, 'foo' always gets 'foo' in returned ipv4 packets. So, 1) returned packets are incorrectly labeled ('foo' instead of 'bar') 2) 'bar' can write to 'foo' without being authorized to write. Here is a scenario how to see this: * Take two machines, let's call them C and S, with active Smack in the default state (no settings, no rules, no labeled hosts, only builtin labels) * At S, add Smack rule 'foo bar w' (labels 'foo' and 'bar' are instantiated at S at this moment) * At S, at label 'bar', launch a program that listens for incoming tcp/ipv4 connections * From C, at label 'foo', connect to the listener at S. (label 'foo' is instantiated at C at this moment) Connection succeedes and works. * Send some data in both directions. * Collect network traffic of this connection. All packets in both directions are labeled with the CIPSO of the label 'foo'. Hence, label 'bar' writes to 'foo' without being authorized, and even without ever being known at C. If anybody cares: exactly the same happens with DCCP. This behavior 1st manifested in release 2.6.29.4 (see Fixes below) and it looks unintentional. At least, no explanation was provided. I changed returned packes label into the 'bar', to bring it into line with the Smack documentation claims.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | <4.19.322 | |
| Linux Kernel | >=4.20<5.4.284 | |
| Linux Kernel | >=5.5<5.10.226 | |
| Linux Kernel | >=5.11<5.15.167 | |
| Linux Kernel | >=5.16<6.1.109 | |
| Linux Kernel | >=6.2<6.6.50 | |
| Linux Kernel | >=6.7<6.10.9 | |
| debian/linux | <=5.10.223-1<=5.10.234-1 | 6.1.129-1 6.1.128-1 6.12.21-1 |
| debian/linux-6.1 | 6.1.129-1~deb11u1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/d3f56c653c65f170b172d3c23120bc64ada645d8
- https://git.kernel.org/stable/c/5b4b304f196c070342e32a4752e1fa2e22fc0671
- https://git.kernel.org/stable/c/a948ec993541db4ef392b555c37a1186f4d61670
- https://git.kernel.org/stable/c/0aea09e82eafa50a373fc8a4b84c1d4734751e2c
- https://git.kernel.org/stable/c/0776bcf9cb6de46fdd94d10118de1cf9b05f83b9
- https://git.kernel.org/stable/c/4be9fd15c3c88775bdf6fa37acabe6de85beebff
- https://git.kernel.org/stable/c/d3703fa94116fed91f64c7d1c7d284fb4369070f
- https://git.kernel.org/stable/c/2fe209d0ad2e2729f7e22b9b31a86cc3ff0db550
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47659
- https://nvd.nist.gov/vuln/detail/CVE-2024-47659
- https://launchpad.net/bugs/cve/CVE-2024-47659
- https://security-tracker.debian.org/tracker/CVE-2024-47659
- https://ubuntu.com/security/CVE-2024-47659
- https://git.kernel.org/linus/2fe209d0ad2e2729f7e22b9b31a86cc3ff0db550
Frequently Asked Questions
What is the severity of CVE-2024-47659?
CVE-2024-47659 has been classified as a medium severity vulnerability.
How do I fix CVE-2024-47659?
To resolve CVE-2024-47659, upgrade to the patched versions of the affected Linux kernel packages as specified in the advisory.
Which Linux kernel versions are affected by CVE-2024-47659?
CVE-2024-47659 affects Linux kernel versions from 5.10 and before up to 6.10.
What specific issue does CVE-2024-47659 address in the Linux kernel?
CVE-2024-47659 addresses an issue with incorrect labeling in Smack for incoming tcp/ipv4 connections.
Is my system vulnerable to CVE-2024-47659?
Check if your system is running an affected version of the Linux kernel that is listed for CVE-2024-47659.
- agent/title
- agent/first-publish-date
- agent/type
- agent/remedy
- agent/severity
- agent/references
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- vendor/linux
- canonical/linux kernel
- version/linux kernel/4.20
- version/linux kernel/5.5
- version/linux kernel/5.11
- version/linux kernel/5.16
- version/linux kernel/6.2
- version/linux kernel/6.7
- package-manager/debian