Linux Kernel Netfilter Conntrack Missing Netlink Policy Validation Vulnerability

A vulnerability in the Linux kernel's netfilter component allows for out-of-bounds access in the Stream Control Transmission Protocol (SCTP) handling within the connection tracking netlink interface. This issue arises because user-supplied data is not properly validated before being used by the kernel, leading to potential memory access violations. Specifically, the problem occurs when the SCTP state attribute is assigned directly to a connection tracking object without range checks. As a result, an attacker could manipulate the direction of an expectation to read beyond the allocated memory of a connection tracking object, causing a slab-out-of-bounds read, which has been confirmed by Undefined Behavior Sanitizer (UBSAN).

Impact

Exploitation of this vulnerability leads to a slab-out-of-bounds read, which can potentially be exploited to read sensitive information from memory or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by sending a netlink message to the kernel's connection tracking subsystem with an invalid SCTP state value. This can be done using a custom program or script that interacts with the netlink interface, specifically targeting the conntrack module and the SCTP protocol. The invalid state value should be chosen to exceed the valid range, causing the out-of-bounds access when the message is processed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation or through the package management system of the respective Linux distribution.