CVE-2024-36902 Overview
CVE-2024-36902 is a Null Pointer Dereference vulnerability affecting the Linux kernel's IPv6 FIB6 rules implementation. The vulnerability exists in the fib6_rule_action() function within the IPv6 routing subsystem, where an unsafe use of the ip6_dst_idev() function can lead to a NULL pointer dereference when the function returns NULL without proper validation.
This vulnerability was identified through syzbot automated testing, which was able to trigger a kernel crash (general protection fault) by exploiting the unsafe pointer handling in the IPv6 routing code path. The crash occurs when the kernel attempts to dereference a NULL pointer during IPv6 route lookups, particularly through SCTP connection establishment flows.
Critical Impact
Local attackers with low privileges can trigger a kernel crash, causing system denial of service. The vulnerability requires local access but no user interaction, making it exploitable in multi-tenant environments and container scenarios.
Affected Products
- Linux Kernel (multiple versions affected)
- Debian Linux (LTS releases)
- NetApp products utilizing affected Linux kernel versions
Discovery Timeline
- May 30, 2024 - CVE-2024-36902 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-36902
Vulnerability Analysis
The vulnerability resides in the fib6_rule_action() function located in net/ipv6/fib6_rules.c. The root cause is the improper handling of the return value from ip6_dst_idev(), which can legitimately return NULL under certain conditions. The code path proceeds to dereference the pointer without first validating that it is non-NULL, leading to a NULL pointer dereference when processing IPv6 routing rules.
The crash manifests as a general protection fault at RIP 0010:__fib6_rule_action at line 237 of fib6_rules.c. KASAN (Kernel Address Sanitizer) reports this as a null-ptr-deref in the memory range [0x0000000000000000-0x0000000000000007], confirming the NULL pointer access attempt.
Root Cause
The vulnerability stems from missing NULL pointer validation for the return value of ip6_dst_idev(). In the Linux kernel networking stack, ip6_dst_idev() retrieves the network device interface associated with an IPv6 destination. However, this function can return NULL under various conditions, such as when the destination cache entry is not properly initialized or when the associated interface has been removed.
The fix requires adding explicit NULL checks before dereferencing the pointer returned by ip6_dst_idev(). Multiple kernel stable branches have received patches that add the necessary validation to prevent the NULL pointer dereference.
Attack Vector
The attack vector is local and requires low privileges to execute. An attacker can trigger the vulnerability through the following call chain:
- Initiate an SCTP connection via sctp_inet_connect()
- The connection process calls sctp_connect_new_asoc() which adds a peer
- Peer addition triggers sctp_transport_route() for route lookup
- Route lookup invokes sctp_v6_get_dst() for IPv6 destination resolution
- This leads to ip6_dst_lookup_flow() and eventually fib6_rule_lookup()
- The fib6_rule_action() function is called where the NULL dereference occurs
The attack does not require user interaction and can be triggered by a local user with the ability to create network sockets and initiate SCTP connections. This makes the vulnerability particularly relevant in containerized environments where multiple tenants share the same kernel.
Detection Methods for CVE-2024-36902
Indicators of Compromise
- Kernel crash logs showing "general protection fault" with RIP pointing to __fib6_rule_action or fib6_rule_action in net/ipv6/fib6_rules.c
- KASAN reports indicating null-ptr-deref in the IPv6 FIB rules code path
- System instability or unexpected reboots coinciding with IPv6 network activity or SCTP connection attempts
- Kernel oops messages referencing the call chain through sctp_v6_get_dst, ip6_dst_lookup_flow, or fib6_rule_lookup
Detection Strategies
- Monitor kernel logs for crash signatures matching the vulnerability pattern, specifically looking for faults in the FIB6 rules subsystem
- Deploy kernel address sanitizer (KASAN) in test environments to detect NULL pointer dereference attempts
- Implement system call auditing to track suspicious SCTP socket operations from unprivileged users
- Use kdump or similar kernel crash dump analysis tools to capture and analyze crash data for post-incident forensics
Monitoring Recommendations
- Configure system logging to capture kernel oops and panic messages with full call trace information
- Set up automated alerts for kernel crashes involving IPv6 routing subsystems
- Monitor for unusual patterns of SCTP connection attempts, particularly from containerized workloads
- Implement real-time kernel log analysis using tools like auditd or SIEM solutions to detect exploitation attempts
How to Mitigate CVE-2024-36902
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the NULL pointer validation fix
- For systems that cannot be immediately patched, consider limiting SCTP socket creation to trusted users
- Review and restrict network namespace privileges in containerized environments
- Monitor systems for signs of exploitation attempts while planning the patch deployment
Patch Information
The vulnerability has been addressed through multiple kernel patches available in the stable kernel branches. The fix adds proper NULL checks before dereferencing the pointer returned by ip6_dst_idev().
Official patches are available from the Linux kernel Git repository:
- Kernel Patch Commit 1876881c
- Kernel Patch Commit 35297fc6
- Kernel Patch Commit 4a5a5733
- Kernel Patch Commit 674c951a
- Kernel Patch Commit 7e3242c1
- Kernel Patch Commit 8745a8d7
- Kernel Patch Commit d101291b
- Kernel Patch Commit ddec23f2
Additional advisories:
Workarounds
- Disable SCTP protocol support if not required by unloading the sctp kernel module using modprobe -r sctp
- Restrict access to network namespaces and socket creation for unprivileged users through seccomp profiles or AppArmor/SELinux policies
- In containerized environments, ensure containers run with minimal network capabilities and consider dropping CAP_NET_ADMIN and CAP_NET_RAW
- Implement network segmentation to limit exposure of systems with vulnerable kernels
# Disable SCTP module loading (temporary workaround)
echo "install sctp /bin/true" > /etc/modprobe.d/disable-sctp.conf
modprobe -r sctp
# Verify SCTP module is not loaded
lsmod | grep sctp
# Check current kernel version
uname -r
# Update kernel packages (Debian/Ubuntu)
apt update && apt upgrade linux-image-$(uname -r)
# Update kernel packages (RHEL/CentOS)
yum update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
