Linux Kernel Netfilter TCP MSS Option Length Validation Vulnerability

A vulnerability exists in the Linux kernel's netfilter component, specifically within the TCP MSS (Maximum Segment Size) option parser. The issue arises because the parser reads TCP options without first validating the remaining length of the option field. If the last byte is not an End of Option List (EOL) or No Operation (NOP), the parser may attempt to access memory beyond the intended limit, leading to an out-of-bounds read. This could potentially allow for unauthorized memory access, either by reading past the end of a stack buffer or into adjacent payload data.

Impact

Exploitation of this vulnerability causes an out-of-bounds read, which can lead to unauthorized memory access. This could allow an attacker to read sensitive information from memory or manipulate memory in a way that could be exploited further, such as executing arbitrary code.

Reproduction

To reproduce this vulnerability, send a TCP packet with an option field that includes a length that, when parsed, would cause the option parser to read beyond the allocated buffer. Ensure that the last byte of the option is not an EOL or NOP, which would otherwise terminate the option parsing correctly. This can be done using a network tool that allows for crafting custom TCP packets, such as Scapy or hping.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit that addresses this issue is available in the Linux kernel stable tree.