CVE-2019-15239 in Linux
Summary
by MITRE
In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifically, by adding to a write queue between disconnection and re-connection, a local attacker can trigger multiple use-after-free conditions. This can result in a kernel crash, or potentially in privilege escalation. NOTE: this affects (for example) Linux distributions that use 4.9.x longterm kernels before 4.9.190 or 4.14.x longterm kernels before 4.14.139.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/27/2023
The vulnerability described in CVE-2019-15239 represents a critical security flaw in the Linux kernel's TCP implementation that emerged from an improper backporting operation. This issue specifically affects longterm kernel versions including 4.9.x and 4.14.x series, where a change originally introduced in kernel version 4.16.12 was incorrectly applied to earlier stable releases. The improper backporting process created a condition that was more severe than the original vulnerability it was designed to address, demonstrating the risks associated with manual kernel patch management and the complexity of maintaining security across multiple kernel branches.
The technical flaw resides in the net/ipv4/tcp_output.c file where a modification was introduced that added data to the write queue during the disconnection and reconnection process. This change created a race condition scenario where a local attacker could manipulate the timing of network operations to trigger multiple use-after-free conditions. The vulnerability operates by exploiting the kernel's TCP stack behavior when handling connection state transitions, particularly when connections are terminated and subsequently re-established. The improper backporting meant that the protective mechanisms that were intended to prevent the original issue were either missing or incorrectly implemented in the affected kernel versions.
The operational impact of this vulnerability extends beyond simple system instability to potentially enable privilege escalation attacks. When the use-after-free conditions are triggered, they can cause the kernel to crash or, in more severe cases, allow a local attacker to execute arbitrary code with kernel-level privileges. This represents a significant threat to system security as local users who can access the system can potentially elevate their privileges without requiring authentication. The vulnerability affects widely used longterm kernel versions that many organizations rely upon for stability and security, making it particularly dangerous as these versions typically receive extended support periods and are deployed across critical infrastructure.
The root cause of this issue aligns with CWE-415 which describes "Double Free" conditions and CWE-476 which covers "NULL Pointer Dereference" scenarios, as the improper backporting created conditions where memory management became inconsistent during TCP connection handling. From an ATT&CK perspective, this vulnerability maps to T1068 "Exploitation for Privilege Escalation" and T1499 "Endpoint Termination" as it enables both privilege escalation and potential system disruption. Organizations using affected kernel versions should immediately apply the appropriate security patches that correctly implement the fix without the problematic backporting. The recommended mitigation includes upgrading to kernel versions 4.9.190 or 4.14.139, or applying the specific patch that corrects the backporting error in the tcp_output.c file. System administrators should also monitor for signs of exploitation attempts and implement additional security controls to limit local user privileges where possible.