- Security - AlmaLinux List Archives

Unassigned CVE Leads to Kernel Crash on AlmaLinux 8 – Double-Free/UAF in nft_hash Garbage Collector
by patryk.sondej＠gmail.com 25 Jan '25

25 Jan '25

Hi, I am experiencing kernel crashes on AlmaLinux 8 caused by an unassigned CVE in the Linux kernel related to a double-free/Use-After-Free vulnerability. ] After analyzing the vmcore crash dump, I discovered that the AlmaLinux kernel contains changes introduced by commit f6c383b8c31a but is not patched with the fix provided in commit 7ffc7481153bbabf3332c6a19b289730c7e1edf5. According to this discussion, the issue was introduced by commit: f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API") and subsequently resolved by commit: 7ffc7481153bbabf3332c6a19b289730c7e1edf5 ("netfilter: nft_set_hash: skip duplicated elements pending gc") See what they are saying in mailing list: https://lore.kernel.org/netdev/20241205002854.162490-3-pablo@netfilter.org/… The root cause is described as follows: > 6) Fix possible double-free in nft_hash garbage collector due to unstable > walk interator that can provide twice the same element. Use a sequence > number to skip expired/dead elements that have been already scheduled > for removal. Based on patch from Laurent Fasnach This unpatched vulnerability in the AlmaLinux 8 kernel results in potential Denial-of-Service (DoS) or crashes, especially when the server utilizes nftables+dynset firewall rules. It also provides a vector for privilege escalation (LPE) when user namespaces are enabled. The relevant crash dump from my system is shown below: ``` ------------[ cut here ]------------ kernel BUG at mm/slub.c:380! invalid opcode: 0000 [#1] SMP PTI CPU: 13 PID: 3660872 Comm: goiptrace Kdump: loaded Tainted: G W X -------- - - 4.18.0-553.27.1.el8_10.x86_64 #1 Hardware name: XXX RIP: 0010:__slab_free+0x19b/0x330 Code: 1f 44 00 00 eb 9c 41 f7 46 08 00 0d 21 00 0f 85 16 ff ff ff 4d 85 ed 0f 85 0d ff ff ff 80 4c 24 5b 80 45 31 ff e9 57 ff ff ff <0f> 0b 49 3b 54 24 28 75 c4 49 89 5c 24 20 49 89 4c 24 28 49 0f ba RSP: 0000:ffffaf87867bcd90 EFLAGS: 00010246 RAX: ffff99c6a85a13e0 RBX: ffff99c6a85a1380 RCX: ffff99c6a85a1380 RDX: 00000000002a001c RSI: ffffd55c47a16800 RDI: ffff99c5c0004e00 RBP: ffffaf87867bce30 R08: 0000000000000001 R09: ffffffffc0783137 R10: ffff99c6a85a1380 R11: 0000000000000029 R12: ffffd55c47a16800 R13: ffff99c6a85a1380 R14: ffff99c5c0004e00 R15: 0000000000000001 FS: 000000c000284c90(0000) GS:ffff99e4ffb40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00001931ccf4e000 CR3: 0000000ae9b46006 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> ? __die_body+0x1a/0x60 ? die+0x2a/0x50 ? do_trap+0xe7/0x110 ? __slab_free+0x19b/0x330 ? do_invalid_op+0x36/0x40 ? __slab_free+0x19b/0x330 ? invalid_op+0x14/0x20 ? nft_trans_gc_trans_free+0x97/0xd0 [nf_tables] ? __slab_free+0x19b/0x330 ? __unfreeze_partials+0x15b/0x1a0 ? __update_load_avg_cfs_rq+0x27a/0x300 ? nft_trans_gc_trans_free+0x97/0xd0 [nf_tables] kfree+0x22e/0x250 nft_trans_gc_trans_free+0x97/0xd0 [nf_tables] rcu_do_batch+0x1c5/0x4b0 rcu_core+0x14c/0x210 __do_softirq+0xdc/0x2cf irq_exit_rcu+0xc6/0xd0 irq_exit+0xa/0x10 smp_apic_timer_interrupt+0x74/0x130 apic_timer_interrupt+0xf/0x20 </IRQ> RIP: 0033:0x4231b2 Code: 23 4c 89 44 24 38 e8 cd 42 ff ff 48 85 f6 0f 84 a0 00 00 00 48 8b 94 24 88 00 00 00 49 89 f1 48 8b 74 24 48 4d 89 c8 4d 8b 09 <49> 29 d0 4d 85 c9 74 b0 4d 89 ca 49 29 d1 4c 39 ce 77 a5 4c 89 44 RSP: 002b:000000c000199e90 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff13 RAX: 000000c002f19400 RBX: 0000000000000280 RCX: 294a529000000000 RDX: 000000c002f19200 RSI: 0000000000000480 RDI: 0000000000000040 RBP: 000000c000199f08 R08: 000000c002f19510 R09: 000000c000b1c690 R10: 00007fab2c7b1cfe R11: 00000000000002f8 R12: 0000000000000002 R13: 000000000000000b R14: 000000c0002a09c0 R15: 0000000000000001 Modules linked in: nbd rbd libceph binfmt_misc rpcsec_gss_krb5 nfsv4 dns_resolver nfs lockd grace fscache mptcp_diag tcp_diag udp_diag raw_diag inet_diag unix_diag xt_multiport xt_TPROXY nf_tproxy_ipv6 nf_tproxy_ipv4 cls_bpf sch_ingress vxlan ip6_udp_tunnel udp_tunnel veth xt_CT xt_socket nf_socket_ipv4 nf_socket_ipv6 ip6table_filter ip6table_raw ip6table_mangle ip6_tables iptable_filter iptable_raw iptable_mangle iptable_nat ip_tables xt_statistic xt_nat xt_addrtype ipt_REJECT nf_reject_ipv4 ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs ip6t_MASQUERADE ipt_MASQUERADE xt_conntrack xt_comment xt_mark nft_compat nft_chain_nat nf_nat nf_conntrack_netlink 8021q garp mrp bonding tls(X) bridge stp llc nfnetlink_log nft_limit nft_log nft_counter nf_tables_set nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink overlay vfat fat intel_rapl_msr intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass iTCO_wdt crct10dif_pclmul crc32_pclmul iTCO_vendor_support ghash_clmulni_intel rapl intel_cstate ipmi_si intel_uncore ipmi_devintf ipmi_msghandler pcspkr joydev mei_me i2c_i801 mei lpc_ich acpi_power_meter acpi_pad auth_rpcgss sunrpc xfs libcrc32c raid1 sd_mod t10_pi sg mpt3sas ahci ixgbe libahci crc32c_intel igb libata raid_class mdio i2c_algo_bit scsi_transport_sas dca dm_mirror dm_region_hash dm_log dm_mod fuse Red Hat flags: eBPF/rawtrace eBPF/event eBPF/cls eBPF/test ```

1 0

Httpd vulnerability
by Simon Dodd 09 Oct '24

09 Oct '24

Good morning, There was a new high vulnerability for apache released last week for version 2.4.57-11.el9_4 which is resolved in 2.4.57-11.el9_4.1 I have tried running an update but there is nothing available as of yet for this. Will this be added to the repository soon or should we update manually? Thanks -- Kindest regards, Simon Dodd Customer Systems Engineer Pervade Software Tel: +44 1327 304 843 Email: simon(a)pervade-software.com<mailto:simon@pervade-software.com> Web: www.pervade-software.com<http://www.pervade-software.com/> This email contains proprietary and confidential information which may be legally privileged, and is for the intended recipient only. The contents of any telephone or face-to-face conversations relating to the same subject matters referenced in this email should also be considered proprietary and confidential. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and email confirmation to the sender. Pervade Software Ltd, Registered in England & Wales No: 07060728 of Temple Court, 13a Cathedral Rd, Cardiff, UK, CF11 9HA. VAT No: 128 8405 03 Tel: 02920 647 632 Email: info(a)pervade-software.com<mailto:info@pervade-software.com>

3 2

Severe Unauthenticated RCE Flaw (CVSS 9.9) in GNU/Linux Systems - Awaiting Full Disclosure
by security＠ceo-vision.com 25 Sep '24

25 Sep '24

Hello everyone, As you may know, for reference : - https://cybersecuritynews.com/critical-unauthenticated-rce-flaw/ - https://threadreaderapp.com/thread/1838169889330135132.html It may be something big in the next few days

1 0

OpenSSH Vulnerability CVE-2024-6409
by Neil Coils 10 Jul '24

10 Jul '24

Good Morning, We’ve just been made aware of a possible new OpenSSH Vulnerability CVE-2024-6409 https://thehackernews.com/2024/07/new-openssh-vulnerability-discovered.html Can you please confirm if CVE-2024-6409 is covered by the update delivered for CVE-2024-6387 (aka RegreSSHion) or are we looking at a new vulnerability that will require a new update. If a new update is required are there any details or release dates available. We are currently running OpenSSH_8.7p1 on AlmaLinux release 9.4 (Seafoam Ocelot) Thanks for your help with this matter. Best Regards Neil Coils Pervade Software Mob: +44 7740451604<tel:+447740451604> Email: neil(a)pervade-software.com<mailto:neil@pervade-software.com> Web: www.pervade-software.com<http://www.pervade-software.com/> This email contains proprietary and confidential information which may be legally privileged, and is for the intended recipient only. The contents of any telephone or face-to-face conversations relating to the same subject matters referenced in this email should also be considered proprietary and confidential. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and email confirmation to the sender. Pervade Software Ltd, Registered in England & Wales No: 07060728 of Temple Court, 13a Cathedral Road, Cardiff, CF11 9HA. VAT No: 128 8405 03 Tel: 02920 647 632 Email: info(a)pervade-software.com<mailto:info@pervade-software.com>

2 2

AlmaLinux 9 OpenSSH "regreSSHion" CVE-2024-6387
by Jonathan Wright 10 Jul '24

10 Jul '24

Hello, We have published updates for OpenSSH's "regreSSHion" vulnerability, CVE-2024-6387. Please see the blog post at https://f89ae520.almalinux-org.pages.dev/blog/2024-07-01-almalinux-9-cve-20… for more information. -- Jonathan Wright AlmaLinux Foundation Mattermost: chat <https://chat.almalinux.org/almalinux/messages/@jonathan>

6 7

[Ticket ID: 190306] Re: OpenSSH Vulnerability- CVE identifier CVE-2024-6387
by Cybrancee Web Hosting Support 01 Jul '24

01 Jul '24

Can someone just remove us from this list, we didn't sign up to it. ---------------------------------------------- Ticket ID: #190306 Subject: [Security] Re: OpenSSH Vulnerability- CVE identifier CVE-2024-6387 Status: Answered Ticket URL: https://cybrancee.com/client/viewticket.php?tid=190306&c=Sf8JmXTV ----------------------------------------------

1 0

[Ticket ID: 190306] Re: OpenSSH Vulnerability- CVE identifier CVE-2024-6387
by Cybrancee Web Hosting Support 01 Jul '24

01 Jul '24

Jonathan Wright, Thank you for contacting our support team. A support ticket has now been opened for your request. You will be notified when a response is made by email. The details of your ticket are shown below. Subject: [Security] Re: OpenSSH Vulnerability- CVE identifier CVE-2024-6387 Priority: Medium Status: Open You can view the ticket at any time at https://cybrancee.com/client/viewticket.php?tid=190306&c=Sf8JmXTV --- Cybrancee https://cybrancee.com

1 0

OpenSSH Vulnerability- CVE identifier CVE-2024-6387
by Neil Coils 01 Jul '24

01 Jul '24

Hi, Is there a recommendation for AlmaLinux 9 users regarding this ‘OpenSSH Vulnerability- CVE identifier CVE-2024-6387’ Thanks & Regards Neil Coils Pervade Software Mob: +44 7740451604<tel:+447740451604> Email: neil(a)pervade-software.com<mailto:neil@pervade-software.com> Web: www.pervade-software.com<http://www.pervade-software.com/> This email contains proprietary and confidential information which may be legally privileged, and is for the intended recipient only. The contents of any telephone or face-to-face conversations relating to the same subject matters referenced in this email should also be considered proprietary and confidential. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and email confirmation to the sender. Pervade Software Ltd, Registered in England & Wales No: 07060728 of Temple Court, 13a Cathedral Road, Cardiff, CF11 9HA. VAT No: 128 8405 03 Tel: 02920 647 632 Email: info(a)pervade-software.com<mailto:info@pervade-software.com>

3 2

OpenSSH policies / system crypto policy equivalence
by Francesco Di Nucci 20 Jun '24

20 Jun '24

Hello, I am trying to write a crypto policy modifier to disable some kex algorithms in OpenSSH (not the one in the example, but the issue is the same). Reading //usr/share/crypto-policies/python/policygenerators/openssh.py/, I find mappings like /'ECDHE-SECP521R1-SHA2-512': 'ecdh-sha2-nistp521'/, so I tried to write in a pmod /key_exchange = -ECDHE-SECP521R1-SHA2-512/ When I try to load it with update-crypto-policies, it fails stating /Bad value of policy property `key_exchange`: `ECDHE-SECP521R1-SHA2-512`/, and in fact If I check //usr/share/crypto-policies/python/cryptopolicies/alg_lists.py, /ECDHE-SECP521R1-SHA2-512 is not defined there. So, how can I disable in OpenSSH kex/algorithms/etc that are defined in //usr/share/crypto-policies/python/policygenerators/openssh.py /but not in //usr/share/crypto-policies/python/cryptopolicies/alg_lists.py?/ Best regards Francesco Di Nucci

1 0

Hello
by ray 01 May '24

01 May '24

1 0