CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
5.1%
In the Linux kernel, the following vulnerability has been resolved: net:
Make tcp_allowed_congestion_control readonly in non-init netns Currently,
tcp_allowed_congestion_control is global and writable; writing to it in any
net namespace will leak into all other net namespaces.
tcp_available_congestion_control and tcp_allowed_congestion_control are the
only sysctls in ipv4_net_table (the per-netns sysctl table) with a NULL
data pointer; their handlers (proc_tcp_available_congestion_control and
proc_allowed_congestion_control) have no other way of referencing a struct
net. Thus, they operate globally. Because ipv4_net_table does not use
designated initializers, there is no easy way to fix up this one “bad”
table entry. However, the data pointer updating logic shouldn’t be applied
to NULL pointers anyway, so we instead force these entries to be read-only.
These sysctls used to exist in ipv4_table (init-net only), but they were
moved to the per-net ipv4_net_table, presumably without realizing that
tcp_allowed_congestion_control was writable and thus introduced a leak.
Because the intent of that commit was only to know (i.e. read) “which
congestion algorithms are available or allowed”, this read-only solution
should be sufficient. The logic added in recent commit 31c4d2f160eb: (“net:
Ensure net namespace isolation of sysctls”) does not and cannot check for
NULL data pointers, because other table entries (e.g.
/proc/sys/net/netfilter/nf_log/) have .data=NULL but use other methods
(.extra2) to access the struct net.
git.kernel.org/linus/97684f0970f6e112926de631fdd98d9693c7e5c1 (5.12-rc8)
git.kernel.org/stable/c/1ccdf1bed140820240e383ba0accc474ffc7f006
git.kernel.org/stable/c/35d7491e2f77ce480097cabcaf93ed409e916e12
git.kernel.org/stable/c/97684f0970f6e112926de631fdd98d9693c7e5c1
launchpad.net/bugs/cve/CVE-2021-46912
nvd.nist.gov/vuln/detail/CVE-2021-46912
security-tracker.debian.org/tracker/CVE-2021-46912
www.cve.org/CVERecord?id=CVE-2021-46912