What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by fixing the export paths in the Linux kernel that append aligned sockaddr payloads with plain skb_put(). Specifically, the fix involves clearing only the aligned sockaddr tail after pfkey_sockaddr_fill() in the affected paths: SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's PF_KEY export paths related to handling sockaddr structures for IPv6 addresses. Specifically, when reserving space for sockaddr payloads, the function pfkey_sockaddr_size() allocates 32 bytes for IPv6 addresses, but the function pfkey_sockaddr_fill() only initializes the first 28 bytes of the sockaddr_in6 structure. This leaves the last 4 bytes uninitialized, which means they contain leftover or random data.

Not all PF_KEY messages are affected; only certain export paths that append aligned sockaddr payloads without zeroing the entire buffer are vulnerable. These include SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE. The fix involves clearing the uninitialized tail bytes after filling the sockaddr structure to prevent leakage of uninitialized data.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The impact of this vulnerability is that uninitialized memory bytes in the sockaddr_in6 structure may be exposed in PF_KEY messages. This could potentially lead to information leakage, where sensitive or random data from kernel memory is unintentionally disclosed to user space or other components interacting with PF_KEY.

Such leakage might be exploited by an attacker to gain insights into kernel memory contents, which could aid in further attacks or compromise system security.

Useful 0 Not Useful 0