Bug 1213251 (CVE-2023-3106)

Summary: VUL-0: CVE-2023-3106: kernel: netlink socket crash (null pointer deref) in netlink_dump function
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: chester.lin, mkubecek, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/372135/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-3106:6.6:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-07-12 13:22:10 UTC 
CVE-2023-3106

A NULL pointer dereference vulnerability was found in netlink_dump. This issue
can occur when the Netlink socket receives the message(sendmsg) for the
XFRM_MSG_GETSA, XFRM_MSG_GETPOLICY type message, and the DUMP flag is set and
can cause a denial of service or possibly another unspecified impact. Due to the
nature of the flaw, privilege escalation cannot be fully ruled out, although it
is unlikely.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3106
https://bugzilla.redhat.com/show_bug.cgi?id=2221501
https://www.cve.org/CVERecord?id=CVE-2023-3106
https://access.redhat.com/security/cve/CVE-2023-3106
https://github.com/torvalds/linux/commit/1ba5bf993c6a3142e18e68ea6452b347f9cb5635
Comment 1 Chester Lin 2023-07-12 14:12:27 UTC 
Reassigning to a concrete person to ensure progress [1] (feel free to pass to next one), see also the process at [2].
 
Hi Michal, it's related to XFRM so could you please take a look at this CVE? Thanks.
 
[1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel
[2] https://wiki.suse.net/index.php/SUSE-Labs/Kernel/Security
Comment 4 Michal Kubeček 2023-07-20 20:28:34 UTC 
introduced      d3623099d350    3.15-rc1
fixed           1ba5bf993c6a    4.8-rc7

The fix has been submitted to all relevant branches:

cve/linux-4.4   10b2ad1047cb

Reassigning back to security team.
Comment 9 Maintenance Automation 2023-08-16 08:31:36 UTC 
SUSE-SU-2023:3324-1: An update that solves 14 vulnerabilities and has two fixes can now be installed.

Category: security (important)
Bug References: 1087082, 1126703, 1206418, 1207561, 1209779, 1210584, 1211738, 1211867, 1212502, 1213059, 1213167, 1213251, 1213286, 1213287, 1213585, 1213588
CVE References: CVE-2018-20784, CVE-2018-3639, CVE-2022-40982, CVE-2023-0459, CVE-2023-1637, CVE-2023-20569, CVE-2023-20593, CVE-2023-2985, CVE-2023-3106, CVE-2023-3268, CVE-2023-35001, CVE-2023-3567, CVE-2023-3611, CVE-2023-3776
Sources used:
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): kernel-syms-4.4.121-92.208.1, kernel-source-4.4.121-92.208.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.