CVE-2024-26910 in Linuxinfo

Summary

by MITRE • 04/17/2024

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ipset: fix performance regression in swap operation

The patch "netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test", commit 28628fa9 fixes a race condition. But the synchronize_rcu() added to the swap function unnecessarily slows it down: it can safely be moved to destroy and use call_rcu() instead.

Eric Dumazet pointed out that simply calling the destroy functions as rcu callback does not work: sets with timeout use garbage collectors which need cancelling at destroy which can wait. Therefore the destroy functions are split into two: cancelling garbage collectors safely at executing the command received by netlink and moving the remaining part only into the rcu callback.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 10/28/2024

The vulnerability identified as CVE-2024-26910 affects the Linux kernel's netfilter subsystem, specifically within the ipset module that manages network packet filtering rules. This issue represents a performance degradation in the swap operation functionality that impacts network filtering operations across Linux systems. The vulnerability stems from an improper implementation of synchronization mechanisms within the kernel's netfilter framework, which has been classified under CWE-362 as a race condition vulnerability. The problem manifests when network administrators perform ipset swap operations, which are commonly used to atomically exchange entire sets of network filtering rules.

The technical flaw involves an unnecessary performance regression introduced by the fix for a previous race condition in the ipset module. The original patch addressed a race condition between swap/destroy operations and kernel-side add/del/test functions by introducing synchronize_rcu() into the swap function. This addition created significant performance bottlenecks because synchronize_rcu() is a heavyweight synchronization primitive that blocks all processors until all RCU grace periods complete. The fix implemented by commit 28628fa9 moves this synchronization to the destroy function instead, utilizing call_rcu() which operates asynchronously and provides better performance characteristics.

The operational impact of this vulnerability extends to network performance and system responsiveness in environments heavily utilizing ipset for network filtering operations. Systems that frequently perform swap operations on ipset structures experience degraded performance, which can manifest as increased latency in network packet processing, reduced throughput, and potential denial of service conditions in high-traffic network environments. This vulnerability affects any Linux system running kernel versions that include the problematic ipset implementation, particularly those implementing network filtering policies using ipset for firewall rule management.

The mitigation strategy involves applying the kernel patch that restructures the destroy function to properly handle garbage collector cancellation during the netlink command execution phase, while deferring the remaining cleanup operations to RCU callbacks. This approach maintains the necessary synchronization guarantees for race condition prevention while eliminating the performance penalty associated with synchronize_rcu() in the swap operation path. The solution aligns with ATT&CK technique T1070.006 for indicator removal and T1562.001 for disabling defenses, as it addresses a kernel-level performance degradation that could be exploited to cause system instability or resource exhaustion. Organizations should prioritize kernel updates that include this fix to restore optimal performance in network filtering operations while maintaining security guarantees. The fix demonstrates proper adherence to RCU (Read-Copy-Update) best practices by separating the immediate command execution from asynchronous cleanup operations, preventing potential deadlocks while maintaining data consistency.

Reservation

02/19/2024

Disclosure

04/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00175

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!