Bug 1211596 (CVE-2020-36694)

Summary: VUL-0: CVE-2020-36694: kernel-source-azure,kernel-source-rt,kernel-source: Use-after-free in the packet processing context
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, mkoutny, mkubecek, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/367086/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Cathy Hu 2023-05-22 12:31:51 UTC 
CVE-2020-36694

An issue was discovered in netfilter in the Linux kernel before 5.10. There can
be a use-after-free in the packet processing context, because the per-CPU
sequence count is mishandled during concurrent iptables rules replacement. This
could be exploited with the CAP_NET_ADMIN capability in an unprivileged
namespace. NOTE: cc00bca was reverted in 5.12.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36694
https://www.cve.org/CVERecord?id=CVE-2020-36694
http://www.cvedetails.com/cve/CVE-2020-36694/
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.12
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cc00bcaa589914096edef7fb87ca5cee4a166b5c
https://syzkaller.appspot.com/bug?id=0c4fd9c6aa04ec116d01e915d3b186f71a212cb2
Comment 2 Michal Koutný 2023-05-22 17:13:21 UTC 
Reassigning to a concrete person to ensure progress [1] (feel free to pass to next one), see also the process at [2].
 
Let me assign this to myself for review during my KSS duty.
 
[1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel
[2] https://wiki.suse.net/index.php/SUSE-Labs/Kernel/Security
Comment 3 Michal Kubeček 2023-05-23 09:04:22 UTC 
As usual, the issue description is not very specific but from what is
available, I do agree that the issue as described has been fixed by
mainline commit 175e476b8cdf ("netfilter: x_tables: Use correct memory
barriers.") which we already have in all relevant branches as a fix for
CVE-2021-29650 / bsc#1184208. Thus all we need to do is to add the new
CVE and bugzilla reference to those patches.
Comment 4 Michal Koutný 2023-05-26 20:02:03 UTC 
Thanks. I second the conclusion from comment 3.
Our kernels are unaffected.

I've pushed the updated reference via cve/linux-5.3 to make tools happy.
(older would be unaffected yet, newer would have fix already)
Comment 10 Maintenance Automation 2023-06-13 16:30:12 UTC 
SUSE-SU-2023:2502-1: An update that solves 21 vulnerabilities and has four fixes can now be installed.

Category: security (important)
Bug References: 1199636, 1204405, 1205756, 1205758, 1205760, 1205762, 1205803, 1206024, 1208474, 1208604, 1209287, 1209779, 1210715, 1210783, 1210940, 1211037, 1211043, 1211105, 1211131, 1211186, 1211203, 1211590, 1211592, 1211596, 1211622
CVE References: CVE-2020-36694, CVE-2022-3566, CVE-2022-4269, CVE-2022-45884, CVE-2022-45885, CVE-2022-45886, CVE-2022-45887, CVE-2022-45919, CVE-2023-1079, CVE-2023-1380, CVE-2023-1637, CVE-2023-2156, CVE-2023-2194, CVE-2023-23586, CVE-2023-2483, CVE-2023-2513, CVE-2023-31084, CVE-2023-31436, CVE-2023-32233, CVE-2023-32269, CVE-2023-33288
Sources used:
SUSE Real Time Module 15-SP3 (src): kernel-syms-rt-5.3.18-150300.130.1, kernel-source-rt-5.3.18-150300.130.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-06-22 08:30:12 UTC 
SUSE-SU-2023:2611-1: An update that solves 22 vulnerabilities and has four fixes can now be installed.

Category: security (important)
Bug References: 1184208, 1199636, 1204405, 1205756, 1205758, 1205760, 1205762, 1205803, 1206024, 1208474, 1208604, 1209287, 1209779, 1210715, 1210783, 1210940, 1211037, 1211043, 1211105, 1211131, 1211186, 1211203, 1211590, 1211592, 1211596, 1211622
CVE References: CVE-2020-36694, CVE-2021-29650, CVE-2022-3566, CVE-2022-4269, CVE-2022-45884, CVE-2022-45885, CVE-2022-45886, CVE-2022-45887, CVE-2022-45919, CVE-2023-1079, CVE-2023-1380, CVE-2023-1637, CVE-2023-2156, CVE-2023-2194, CVE-2023-23586, CVE-2023-2483, CVE-2023-2513, CVE-2023-31084, CVE-2023-31436, CVE-2023-32233, CVE-2023-32269, CVE-2023-33288
Sources used:
SUSE Linux Enterprise Live Patching 15-SP3 (src): kernel-livepatch-SLE15-SP3_Update_33-1-150300.7.3.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): kernel-syms-5.3.18-150300.59.124.1, kernel-obs-build-5.3.18-150300.59.124.1, kernel-default-base-5.3.18-150300.59.124.1.150300.18.72.1, kernel-source-5.3.18-150300.59.124.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): kernel-syms-5.3.18-150300.59.124.1, kernel-obs-build-5.3.18-150300.59.124.1, kernel-default-base-5.3.18-150300.59.124.1.150300.18.72.1, kernel-source-5.3.18-150300.59.124.1
SUSE Linux Enterprise Real Time 15 SP3 (src): kernel-syms-5.3.18-150300.59.124.1, kernel-obs-build-5.3.18-150300.59.124.1, kernel-default-base-5.3.18-150300.59.124.1.150300.18.72.1, kernel-source-5.3.18-150300.59.124.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): kernel-syms-5.3.18-150300.59.124.1, kernel-obs-build-5.3.18-150300.59.124.1, kernel-default-base-5.3.18-150300.59.124.1.150300.18.72.1, kernel-source-5.3.18-150300.59.124.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): kernel-syms-5.3.18-150300.59.124.1, kernel-obs-build-5.3.18-150300.59.124.1, kernel-default-base-5.3.18-150300.59.124.1.150300.18.72.1, kernel-source-5.3.18-150300.59.124.1
SUSE Manager Proxy 4.2 (src): kernel-default-base-5.3.18-150300.59.124.1.150300.18.72.1, kernel-source-5.3.18-150300.59.124.1
SUSE Manager Retail Branch Server 4.2 (src): kernel-default-base-5.3.18-150300.59.124.1.150300.18.72.1, kernel-source-5.3.18-150300.59.124.1
SUSE Manager Server 4.2 (src): kernel-default-base-5.3.18-150300.59.124.1.150300.18.72.1, kernel-source-5.3.18-150300.59.124.1
SUSE Enterprise Storage 7.1 (src): kernel-syms-5.3.18-150300.59.124.1, kernel-obs-build-5.3.18-150300.59.124.1, kernel-default-base-5.3.18-150300.59.124.1.150300.18.72.1, kernel-source-5.3.18-150300.59.124.1
SUSE Linux Enterprise Micro 5.1 (src): kernel-default-base-5.3.18-150300.59.124.1.150300.18.72.1
SUSE Linux Enterprise Micro 5.2 (src): kernel-default-base-5.3.18-150300.59.124.1.150300.18.72.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): kernel-default-base-5.3.18-150300.59.124.1.150300.18.72.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2023-06-27 12:30:39 UTC 
SUSE-SU-2023:2651-1: An update that solves 22 vulnerabilities and has 10 fixes can now be installed.

Category: security (important)
Bug References: 1172073, 1184208, 1191731, 1199046, 1204405, 1205756, 1205758, 1205760, 1205762, 1205803, 1206024, 1208474, 1208604, 1209287, 1209779, 1210498, 1210715, 1210783, 1210791, 1210940, 1211037, 1211043, 1211089, 1211105, 1211186, 1211187, 1211260, 1211590, 1211592, 1211596, 1211622, 1211796
CVE References: CVE-2020-36694, CVE-2021-29650, CVE-2022-3566, CVE-2022-4269, CVE-2022-45884, CVE-2022-45885, CVE-2022-45886, CVE-2022-45887, CVE-2022-45919, CVE-2023-1079, CVE-2023-1380, CVE-2023-1637, CVE-2023-2124, CVE-2023-2194, CVE-2023-23586, CVE-2023-2483, CVE-2023-2513, CVE-2023-31084, CVE-2023-31436, CVE-2023-32233, CVE-2023-32269, CVE-2023-33288
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): kernel-obs-build-5.3.18-150200.24.154.1, kernel-source-5.3.18-150200.24.154.1, kernel-syms-5.3.18-150200.24.154.1, kernel-default-base-5.3.18-150200.24.154.1.150200.9.75.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): kernel-obs-build-5.3.18-150200.24.154.1, kernel-source-5.3.18-150200.24.154.1, kernel-syms-5.3.18-150200.24.154.1, kernel-default-base-5.3.18-150200.24.154.1.150200.9.75.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): kernel-obs-build-5.3.18-150200.24.154.1, kernel-source-5.3.18-150200.24.154.1, kernel-syms-5.3.18-150200.24.154.1, kernel-default-base-5.3.18-150200.24.154.1.150200.9.75.1
SUSE Enterprise Storage 7 (src): kernel-obs-build-5.3.18-150200.24.154.1, kernel-source-5.3.18-150200.24.154.1, kernel-syms-5.3.18-150200.24.154.1, kernel-default-base-5.3.18-150200.24.154.1.150200.9.75.1
SUSE Linux Enterprise Live Patching 15-SP2 (src): kernel-livepatch-SLE15-SP2_Update_37-1-150200.5.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Cathy Hu 2023-09-25 12:07:24 UTC 
done, closing