Linux Kernel RxRPC Undecryptable RXKAD Response Ticket Vulnerability

A vulnerability in the Linux kernel's RxRPC implementation allows for the rejection of undecryptable RXKAD response tickets. The issue arises in the 'rxkad_decrypt_ticket()' function, which decrypts RXKAD response tickets and subsequently parses the buffer as plaintext without verifying if the decryption was successful. This flaw enables a malformed response to exploit a non-block-aligned ticket length, causing the decryption to fail while still directing the ticket parser to process attacker-controlled bytes. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability could be exploited to inject and parse attacker-controlled bytes, potentially leading to further exploitation or manipulation of the RxRPC connection.

Reproduction

To reproduce this vulnerability, send a malformed RXKAD response ticket with a non-block-aligned length that causes the decryption to fail. The 'rxkad_decrypt_ticket()' function will then parse the ticket as plaintext, allowing the injection of controlled bytes into the application.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been addressed.