jwoytek-cisa
commented
1 week ago @joelguittet Thank you for the question. I've forwarded this on to our analysts to check the assessment and provide commentary or changes as needed.
Open joelguittet opened 1 week ago
jwoytek-cisa
commented
1 week ago @joelguittet Thank you for the question. I've forwarded this on to our analysts to check the assessment and provide commentary or changes as needed.
solardiz
commented
4 days ago This is also being discussed in a thread on oss-security. It appears to me that besides the attack vector, also the impact is exaggerated:
https://www.openwall.com/lists/oss-security/2024/11/12/4
The CISA-ADP CVSS vector for this vulnerability specifies that it not only is network-reachable, but also that it has High impact not only on Availability, but also on Confidentiality and Integrity. This results in a CVSSv3.1 score of 9.8. Even merely correcting the vector not to claim any Confidentiality and Integrity impact (as a divide-by-zero generally does not have that) would bring the score down significantly.
As to the attack vector, please see the full message referenced above for reasoning on why network-only triggering of this vulnerability (without assistance from a program running locally) is very unlikely (and probably impossible).
amanion-cisa
commented
3 days ago First, thank you for the feedback, we do appreciate it and one option is to just accept the emerging consensus on the oss-security thread and change the CVSS vectors. CVSS base vectors become less informative at higher layers (like libraries and kernels) that have many, many possibe uses (and attack vectors and impacts).
To be blunt, understanding these esoteric Linux kernel vulnerabilities is expensive (in time and expertise) and the return-on-investment is typically low. My personal default summary starts at "authenticated local user, under fairly rare conditions, can crash the kernel, and maybe execute arbitrary code if someone spends enough time figuring it out." Or "fuzzing found a crash with evidence of memory corruption, could be induced by a local user." A very naieve interpretation of CVE-2024-36905 is AV:N because of the string "tcp".
CVSS says to assume the "reasonable worst case." Is it completely impossible to exploit CVE-2024-36905 over the network? Is divide-by-zero (in the kernel) always C:N/I:N/A:H? I'd advise not investing too heavily in any CVSS base scores, especially for poorly understood vulnerabilities like CVE-2024-36905. Or create your own score if you believe or understand differently.
Is it "reasonable worst case" that a remote, unauthenticated attacker can crash the kernel? Or is that "unreasonable" and instead a local authenticated user can crash the kernel? I think in either case I'd be willing to accept that divide-by-zero means C:N/I:N/A:H.
amanion-cisa
commented
3 days ago Here's a proposed CVSS 3.1 vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
solardiz
commented
3 days ago I suggest going with Red Hat's CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H giving a score of 5.5. The difference is in "attack complexity", yours has it as High, RH has as Low. I think if we treat this as local, the complexity reasonably becomes low because it is not hard to run a pre-written exploit locally (such as the program I think syzbot found to trigger this bug). Thank you very much!
Hello, I would like to ask a clarification about the CVE-2024-36905. You indicate it is a network attack vector. Can you elaborate why ? Both Red Hat and AWS classify the CVE with a local attack vector. Note I don't know why either. Thanks for the feedbacks Joel
PS: NIST currently check for this database to populate their own and so they currently indicate a network attack vector but the CVE is still indicated waiting for analysis. This is the path I followed to open this issue.