Analysis Summary

Researchers have uncovered a critical vulnerability in the Linux kernel’s TCP subsystem, identified as CVE-2024-36904, which had remained dormant for seven years. Discovered by the Researcher, during an audit using tools like syzkaller, this flaw results from a use-after-free error caused by a race condition between tcp_twsk_unique() and inet_twsk_hashdance(). The issue arises when a time-wait TCP socket’s reference counter is initialized after being added to a hash table, leading to a zeroed counter and improper memory management. This flaw poses a severe risk, as attackers could exploit it to execute arbitrary code within the kernel.

The vulnerability is triggered when sock_hold() encounters an uninitialized reference counter, setting it to 0xc0000000, while inet_twsk_hashdance() later overwrites it with 3, causing an imbalance. This results in the premature release of an object, leading to a use-after-free scenario. Such vulnerabilities are particularly dangerous as they can enable remote code execution, potentially compromising entire systems. The complexity of exploitability depends on precise timing and execution flow, but determined attackers with sufficient resources could leverage it for targeted attacks.

To confirm its exploitability, researchers modified the kernel to introduce execution delays at key points using mdelay() and monitored the system with KASAN. By bypassing limitations in kernel configurations related to the SLAB_TYPESAFE_BY_RCU flag, they successfully reproduced the issue in controlled environments. While the vulnerability has been patched upstream, delays in integrating fixes into widely used Linux distributions, including Red Hat Enterprise Linux derivatives, mean that many systems remain vulnerable. This underscores a broader issue where Linux distributions often lag in adopting critical security patches.

Users are strongly advised to update their Linux kernels to versions patched after May 2024 to mitigate the risk of exploitation. Additionally, developers should integrate tools like syzkaller and KASAN into their workflows to detect similar issues early. The discovery of CVE-2024-36904 serves as a reminder of the persistent risks in open-source software, emphasizing the need for proactive security monitoring and timely patch management to protect systems from potential exploitation.

Impact

• Privilege Escalation
• Gain Access
• Code Execution

Indicators of Compromise

CVE

• CVE-2024-36904

Affected Vendors

Remediation

• Ensure your Linux system is running a kernel version patched after May 2024 to mitigate the vulnerability.
• Check security advisories from Red Hat, Debian, Ubuntu, and other distributions, as some may still be integrating upstream patches.
• Implement syzkaller and KASAN to detect similar memory management issues early in development.
• If an update is not immediately available, consider restricting untrusted network traffic to reduce exposure.
• Conduct kernel audits and apply strict access controls to limit potential exploitation.
• Utilize security measures like Kernel Address Space Layout Randomization (KASLR) and SELinux/AppArmor to reduce the attack surface.