Linux Kernel Netfilter nf_conntrack_h323 Out-of-Bounds Read Vulnerability

A vulnerability allowing an out-of-bounds read has been identified in the Linux kernel's netfilter component, specifically within the nf_conntrack_h323 connection tracking helper. This issue arises in the decode_choice() function, where a boundary check before the get_len() call improperly uses an uninitialized variable, len. This flaw can be exploited remotely by sending a crafted Q.931 SETUP message to port 1720, through a firewall that has the nf_conntrack_h323 helper active. The exploitation of this vulnerability has been confirmed with AddressSanitizer, which detected a heap-buffer-overflow read.

Impact

Exploitation of this vulnerability leads to an out-of-bounds read, causing a heap-buffer-overflow condition.

Reproduction

To reproduce this vulnerability, send a Q.931 SETUP message containing exactly 2 bytes of PER-encoded data (0x08, 0x00) to port 1720. Ensure that the target system has the nf_conntrack_h323 helper active and that the message is crafted to take advantage of the boundary check flaw in the decode_choice() function.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading can be found in the official Linux kernel documentation.