Linux Kernel SCTP NULL Pointer Dereference Vulnerability in Authentication Key Initialization

A null pointer dereference vulnerability has been identified in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation. This issue arises when the SCTP-AUTH key initialization process fails, leading to a null pointer dereference in the SCTP transmit path. The vulnerability is present in the Linux kernel stable tree, specifically in versions through 6.6.0.

Impact

Exploitation of this vulnerability causes a null pointer dereference, which can lead to a crash of the SCTP module, causing a denial of service.

Reproduction

The vulnerability can be reproduced by initiating an SCTP association and then forcing the SCTP-AUTH key initialization to fail while processing an INIT_ACK chunk. This can be done by manipulating the SCTP command sequence to skip the shared key generation step, leaving the authentication key as null. Once this state is reached, a DATA chunk can be queued for transmission with authentication enabled, but without a valid shared key. When the outqueue is flushed, this improperly authenticated data is sent, triggering the null pointer dereference.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading the Linux kernel can be found in the official Linux documentation.