CVE-2024-50299 in Linuxinfo

Summary

by MITRE • 11/19/2024

In the Linux kernel, the following vulnerability has been resolved:

sctp: properly validate chunk size in sctp_sf_ootb()

A size validation fix similar to that in Commit 50619dbf8db7 ("sctp: add size validation when walking chunks") is also required in sctp_sf_ootb() to address a crash reported by syzbot:

BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712 sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712 sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166 sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243 sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159 ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 10/02/2025

The vulnerability identified as CVE-2024-50299 represents a critical memory safety issue within the Linux kernel's Stream Control Transmission Protocol implementation. This flaw exists in the sctp_sf_ootb() function which handles out-of-the-blue (OOTB) chunk processing, a fundamental component of SCTP's state machine operations. The issue stems from inadequate validation of chunk sizes during packet processing, creating potential for undefined behavior and system crashes. The vulnerability was discovered through automated fuzzing by syzbot, which reported a KMSAN (Kernel Memory Sanitizer) error indicating an uninitialized value access pattern that leads to kernel panic conditions.

The technical root cause of this vulnerability lies in the absence of proper size validation within the sctp_sf_ootb() function, which processes chunks that arrive outside of the normal connection state. Unlike similar functions in the same codebase that were previously patched with commit 50619dbf8db7, this particular function fails to validate chunk boundaries before attempting to access memory regions. The crash occurs at offset 0x7f5 within the sctp_sf_ootb function, specifically when walking through chunk data structures without proper bounds checking. This pattern of uninitialized memory access violates fundamental security principles and creates opportunities for both denial-of-service attacks and potential privilege escalation scenarios.

The operational impact of this vulnerability extends beyond simple system crashes, as it affects the stability and reliability of network services that depend on SCTP protocol implementation. When exploited, the vulnerability can cause kernel panics that result in complete system downtime, making it particularly dangerous in production environments where network availability is critical. The attack surface includes any system running Linux kernel versions containing the vulnerable SCTP implementation, particularly servers handling SCTP traffic or systems with SCTP support enabled. This vulnerability directly relates to CWE-457: Use of Uninitialized Variable and CWE-125: Out-of-bounds Read, both of which are classified under the broader category of memory safety issues. From an adversarial perspective, this vulnerability aligns with ATT&CK technique T1499.004: Endpoint Denial of Service, as it can be leveraged to cause system instability through carefully crafted network packets.

The mitigation strategy for this vulnerability requires immediate application of the kernel patch that implements size validation similar to the previously mentioned commit 50619dbf8db7. System administrators should prioritize updating their kernel versions to include the fix, particularly in environments where SCTP traffic is processed or where network services might be exposed to untrusted network inputs. Additional defensive measures include implementing network segmentation to limit SCTP traffic exposure, deploying intrusion detection systems to monitor for suspicious packet patterns, and conducting regular vulnerability assessments to identify other potential memory safety issues. The fix demonstrates proper defensive programming practices by ensuring all chunk sizes are validated before memory access operations, thereby preventing the uninitialized value access that leads to system crashes. Organizations should also consider implementing kernel hardening measures such as KASAN (Kernel Address Sanitizer) and KMSAN to detect similar issues in other kernel subsystems.

Responsible

Linux

Reservation

10/21/2024

Disclosure

11/19/2024

Moderation

accepted

CPE

ready

EPSS

0.00266

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!