CVE-2024-41007 in Linux
Summary
by MITRE • 07/15/2024
In the Linux kernel, the following vulnerability has been resolved:
tcp: avoid too many retransmit packets
If a TCP socket is using TCP_USER_TIMEOUT, and the other peer retracted its window to zero, tcp_retransmit_timer() can retransmit a packet every two jiffies (2 ms for HZ=1000), for about 4 minutes after TCP_USER_TIMEOUT has 'expired'.
The fix is to make sure tcp_rtx_probe0_timed_out() takes icsk->icsk_user_timeout into account.
Before blamed commit, the socket would not timeout after icsk->icsk_user_timeout, but would use standard exponential backoff for the retransmits.
Also worth noting that before commit e89688e3e978 ("net: tcp: fix unexcepted socket die when snd_wnd is 0"), the issue would last 2 minutes instead of 4.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/27/2024
The vulnerability described in CVE-2024-41007 represents a critical timing issue within the Linux kernel's TCP implementation that can lead to excessive resource consumption and potential denial of service conditions. This flaw specifically affects TCP sockets that utilize the TCP_USER_TIMEOUT parameter, which allows applications to specify a maximum time for retransmitting unacknowledged data segments. The issue manifests when a remote peer reduces its receive window to zero, creating a scenario where the kernel's retransmission mechanism becomes overly aggressive in its attempts to resend data, potentially consuming significant system resources and network bandwidth.
The technical root cause of this vulnerability lies in the tcp_retransmit_timer() function's handling of retransmission timing when TCP_USER_TIMEOUT is active. Under normal circumstances, when TCP_USER_TIMEOUT expires, the socket should terminate its connection attempt. However, in this case, the kernel continues to retransmit packets at an accelerated rate of every two jiffies, which translates to approximately 2 milliseconds on systems with HZ=1000. This aggressive retransmission pattern persists for roughly four minutes after the timeout period has logically expired, creating a significant deviation from expected TCP behavior and potentially allowing for resource exhaustion attacks.
The operational impact of this vulnerability extends beyond simple resource consumption, as it can create conditions that resemble denial of service attacks against the affected system. When a TCP socket remains in this prolonged retransmission state, it consumes memory resources for socket structures, CPU cycles for processing retransmissions, and network bandwidth for transmitting redundant packets. Network administrators may observe unusual traffic patterns or performance degradation on systems running vulnerable kernel versions, particularly in environments with high connection volumes or applications that frequently utilize TCP_USER_TIMEOUT functionality.
The fix implemented for this vulnerability addresses the core issue by ensuring that tcp_rtx_probe0_timed_out() properly considers the icsk->icsk_user_timeout parameter when making retransmission decisions. This modification aligns the kernel's behavior with the expected timeout semantics, preventing the extended retransmission period that previously occurred. Prior to this fix, the system would continue to use standard exponential backoff mechanisms even after TCP_USER_TIMEOUT had expired, leading to the prolonged retransmission behavior. Additionally, historical context shows that a previous fix in commit e89688e3e978 reduced the duration of this issue from four minutes to two minutes, indicating the ongoing evolution of this particular timing edge case in the TCP stack implementation.
From a cybersecurity perspective, this vulnerability aligns with CWE-707 and CWE-122 categories related to improper handling of input and buffer overflow conditions, while also mapping to ATT&CK techniques involving resource exhaustion and denial of service. The vulnerability demonstrates the complexity involved in TCP stack implementations and highlights the importance of proper timeout handling in network protocols, particularly when dealing with edge cases involving window management and retransmission policies. Organizations should prioritize patching systems running affected kernel versions to prevent potential exploitation that could lead to system instability or resource exhaustion attacks targeting network services.