Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2021-47129

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
15/03/2024
Last modified:
04/04/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_ct: skip expectations for confirmed conntrack<br /> <br /> nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed<br /> conntrack entry. However, nf_ct_ext_add() can only be called for<br /> !nf_ct_is_confirmed().<br /> <br /> [ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack]<br /> [ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack]<br /> [ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00<br /> [ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202<br /> [ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887<br /> [ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440<br /> [ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447<br /> [ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440<br /> [ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20<br /> [ 1825.352240] FS: 00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000<br /> [ 1825.352343] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0<br /> [ 1825.352508] Call Trace:<br /> [ 1825.352544] nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack]<br /> [ 1825.352641] nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct]<br /> [ 1825.352716] nft_do_chain+0x232/0x850 [nf_tables]<br /> <br /> Add the ct helper extension only for unconfirmed conntrack. Skip rule<br /> evaluation if the ct helper extension does not exist. Thus, you can<br /> only create expectations from the first packet.<br /> <br /> It should be possible to remove this limitation by adding a new action<br /> to attach a generic ct helper to the first packet. Then, use this ct<br /> helper extension from follow up packets to create the ct expectation.<br /> <br /> While at it, add a missing check to skip the template conntrack too<br /> and remove check for IPCT_UNTRACK which is implicit to !ct.

Impact

Vector 3.x
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 4.60 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None

Base Score 3.x
4.60
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.3 (including) 5.4.125 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.43 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.12.10 (excluding)
cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools