Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240130142524.GA21216@openwall.com>
Date: Tue, 30 Jan 2024 15:25:24 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Armin Kuster <akuster@...sta.com>
Subject: Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631

Hi,

On Tue, Jan 30, 2024 at 08:46:56AM -0500, Armin Kuster wrote:
> Not sure if this is the appropriate mailing list to share this information.

Since the issues are not specific to one downstream distro, yes, it is
appropriate and desirable to have this information in here.  Thank you!

However, two things can be done better on further occasions: actual
vulnerability information should be included in the message body (not
only links) and the Subject line should explicitly say Linux when
referring to the Linux kernel (since this list isn't only about Linux).

> I noticed these two openEuler CVEs were assigned two weeks ago affecting
> some K.O stable branches.
> 
> https://nvd.nist.gov/vuln/detail/CVE-2021-33630

This says:

"NULL Pointer Dereference vulnerability in openEuler kernel on Linux
(network modules) allows Pointer Manipulation. This vulnerability is
associated with program files net/sched/sch_cbs.C. This issue affects
openEuler kernel: from 4.19.90 before 4.19.90-2401.3."

> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e8b9bfa110896f95d602d8c98d5f9d67e41d78c

This mainline commit is from 2019, "net/sched: cbs: Fix not adding cbs
instance to list".

> https://nvd.nist.gov/vuln/detail/CVE-2021-33631

This says:

"Integer Overflow or Wraparound vulnerability in openEuler kernel on
Linux (filesystem modules) allows Forced Integer Overflow.This issue
affects openEuler kernel: from 4.19.90 before 4.19.90-2401.3, from
5.10.0-60.18.0 before 5.10.0-183.0.0."

> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5c099c4fdc438014d5893629e70a8ba934433ee8

2022, "ext4: fix kernel BUG in 'ext4_write_inline_data_end()'"

So the concern is that upstream longterm 4.19.y and 5.10.y (and perhaps
some others) may still be affected.

The above links don't say anything about attack vectors and required
access - I guess CAP_NET_ADMIN and raw block device write (e.g., to a
USB flash drive on another computer), respectively, are the
prerequisites?  The CVSS scores look exaggerated, especially NVD's score
of 7.8 for CVE-2021-33631.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.