CVE-2022-33743 - OpenCVE

network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Linux	Linux Kernel
Debian	Debian Linux
Xen	Xen

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:xen:xen:-:::::::*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/07/05/5	Mailing List Patch Third Party Advisory
http://xenbits.xen.org/xsa/advisory-405.html	Patch Vendor Advisory
https://www.debian.org/security/2022/dsa-5191	Third Party Advisory
https://xenbits.xenproject.org/xsa/advisory-405.txt	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: XEN

Published: 2022-07-05T12:50:19

Updated: 2022-07-27T10:06:51

Reserved: 2022-06-15T00:00:00

Link: CVE-2022-33743

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-07-05T13:15:08.613

Modified: 2022-11-05T03:06:47.497

Link: CVE-2022-33743

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "Linux", "vendor": "Linux", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-405"}]}], "credits": [{"lang": "en", "value": "{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Jan Beulich of SUSE.'}]}}}"}], "descriptions": [{"lang": "en", "value": "network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed."}], "metrics": [{"other": {"content": {"description": {"description_data": [{"lang": "eng", "value": "A misbehaving or malicious backend may cause a Denial of Service (DoS)\nin the guest. Information leaks or privilege escalation cannot be\nruled out."}]}}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"description": "unknown", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-27T10:06:51", "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://xenbits.xenproject.org/xsa/advisory-405.txt"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://xenbits.xen.org/xsa/advisory-405.html"}, {"name": "[oss-security] 20220705 Xen Security Advisory 405 v3 (CVE-2022-33743) - network backend may cause Linux netfront to use freed SKBs", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/07/05/5"}, {"name": "DSA-5191", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2022/dsa-5191"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@xen.org", "ID": "CVE-2022-33743", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Linux", "version": {"version_data": [{"version_affected": "?", "version_value": "consult Xen advisory XSA-405"}]}}]}, "vendor_name": "Linux"}]}}, "configuration": {"configuration_data": {"description": {"description_data": [{"lang": "eng", "value": "Linux versions 5.9 - 5.18 are vulnerable. Linux versions 5.8 and\nearlier are not vulnerable.\n\nThis vulnerability only increases the capability of an attacker in systems\nwith less than fully privileged network backends (e.g. network driver\ndomains). For systems where netback runs in dom0 (the default\nconfiguration), this vulnerability does not increase the capabilities of\nan attacker."}]}}}, "credit": {"credit_data": {"description": {"description_data": [{"lang": "eng", "value": "This issue was discovered by Jan Beulich of SUSE."}]}}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed."}]}, "impact": {"impact_data": {"description": {"description_data": [{"lang": "eng", "value": "A misbehaving or malicious backend may cause a Denial of Service (DoS)\nin the guest. Information leaks or privilege escalation cannot be\nruled out."}]}}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "unknown"}]}]}, "references": {"reference_data": [{"name": "https://xenbits.xenproject.org/xsa/advisory-405.txt", "refsource": "MISC", "url": "https://xenbits.xenproject.org/xsa/advisory-405.txt"}, {"name": "http://xenbits.xen.org/xsa/advisory-405.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-405.html"}, {"name": "[oss-security] 20220705 Xen Security Advisory 405 v3 (CVE-2022-33743) - network backend may cause Linux netfront to use freed SKBs", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/07/05/5"}, {"name": "DSA-5191", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5191"}]}, "workaround": {"workaround_data": {"description": {"description_data": [{"lang": "eng", "value": "There is no mitigation available other than not using PV devices in case\na backend is suspected to be potentially malicious."}]}}}}}}, "cveMetadata": {"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "assignerShortName": "XEN", "cveId": "CVE-2022-33743", "datePublished": "2022-07-05T12:50:19", "dateReserved": "2022-06-15T00:00:00", "dateUpdated": "2022-07-27T10:06:51", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5CD32F0B-F455-46C3-B510-AD6FC97DC3A2", "versionEndIncluding": "5.18", "versionStartIncluding": "5.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:xen:xen:-:*:*:*:*:*:*:*", "matchCriteriaId": "BFA1950D-1D9F-4401-AA86-CF3028EFD286", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed."}, {"lang": "es", "value": "El backend de la red puede hacer que Linux netfront use SKB liberados Al agregar l\u00f3gica para admitir XDP (ruta de datos eXpress), se movi\u00f3 una etiqueta de c\u00f3digo de una manera que permit\u00eda que los SKB tuvieran referencias (punteros) retenidas para un procesamiento posterior para, no obstante, ser liberados"}], "id": "CVE-2022-33743", "lastModified": "2022-11-05T03:06:47.497", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-05T13:15:08.613", "references": [{"source": "security@xen.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/07/05/5"}, {"source": "security@xen.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://xenbits.xen.org/xsa/advisory-405.html"}, {"source": "security@xen.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5191"}, {"source": "security@xen.org", "tags": ["Vendor Advisory"], "url": "https://xenbits.xenproject.org/xsa/advisory-405.txt"}], "sourceIdentifier": "security@xen.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}