Linux Kernel Netfilter nfnetlink_osf Divide-By-Zero Vulnerability in OSF_WSS_MODULO

A divide-by-zero vulnerability has been identified in the Linux kernel's netfilter component, specifically within the nfnetlink_osf module. This issue arises in the nf_osf_match_one() function, where the OSF_WSS_MODULO branch computes a value based on window size without checking if the divisor is zero. A user with CAP_NET_ADMIN privileges can exploit this by adding a malicious fingerprint through nfnetlink. When a matching TCP SYN packet is processed, the division by zero occurs, causing a kernel panic. The vulnerability has been addressed by adding validation to reject such fingerprints before processing, ensuring that the wss.val is not zero and that wss.wc is within acceptable limits.

Impact

Exploitation of this vulnerability leads to a kernel panic caused by a divide-by-zero error, disrupting system operations and potentially causing a denial of service.

Reproduction

To reproduce this vulnerability, a user with CAP_NET_ADMIN privileges can add a fingerprint to the OS fingerprinting module via nfnetlink. This fingerprint should be configured to include a window size value that is used in the OSF_WSS_MODULO calculation. Once the fingerprint is added, sending a TCP SYN packet that triggers the matching process will result in a divide-by-zero error, causing the kernel to panic.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the kernel can be found in the official Linux documentation or through the package management system for the specific Linux distribution in use.