CVE-2024-35981
📋 TL;DR
A vulnerability in the Linux kernel's virtio_net driver causes a kernel infinite loop when attempting to configure RSS (Receive Side Scaling) on virtio network devices that don't support it. This leads to a denial of service condition where the affected system becomes unresponsive. The vulnerability affects Linux systems using QEMU/KVM virtualization with virtio network devices.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Complete system lockup requiring hard reboot, potentially causing data loss and extended service downtime.
Likely Case
System becomes unresponsive when RSS configuration is attempted on unsupported virtio devices, requiring manual intervention to restore service.
If Mitigated
No impact if RSS configuration is not attempted on affected virtio devices or if systems are patched.
🎯 Exploit Status
Exploitation requires ability to run 'ethtool -X eth0 hfunc toeplitz' command on affected system. This typically requires local access or ability to execute commands through other means.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing fixes from the provided git commits
Vendor Advisory: https://git.kernel.org/stable/c/059a49aa2e25c58f90b50151f109dd3c4cdb3a47
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check with your distribution vendor for specific patched kernel versions. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Avoid RSS configuration on virtio devices
linuxPrevent triggering the vulnerability by avoiding RSS configuration commands on virtio network devices
# Do not run: ethtool -X eth0 hfunc toeplitz
# Or any other RSS configuration commands on virtio devices
Disable virtio_net module
linuxTemporarily disable the affected driver if not required
# modprobe -r virtio_net
# Add 'blacklist virtio_net' to /etc/modprobe.d/blacklist.conf
🧯 If You Can't Patch
- Restrict user access to ethtool command and network configuration utilities
- Implement strict access controls to prevent unauthorized users from executing network configuration commands
🔍 How to Verify
Check if Vulnerable:
Check if system uses virtio network devices and test with 'ethtool -X eth0 hfunc toeplitz' (WARNING: This will trigger the vulnerability if present)Check Version:
uname -rVerify Fix Applied:
Check kernel version against patched versions from your distribution vendor, or verify the fix commit is present in your kernel📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- System becoming unresponsive after network configuration
- QEMU error messages about broken virtio devices
Network Indicators:
- Sudden loss of connectivity from affected host
- No response to ping or other network probes
SIEM Query:
Search for 'ethtool -X' command execution or kernel panic events related to virtio_net🔗 References
- https://git.kernel.org/stable/c/059a49aa2e25c58f90b50151f109dd3c4cdb3a47
- https://git.kernel.org/stable/c/28e9a64638cd16bc1ecac9ff74ffeacb9fb652de
- https://git.kernel.org/stable/c/43a71c1b4b3a6d4db857b1435d271540279fc7de
- https://git.kernel.org/stable/c/539a2b995a4ed93125cb0efae0f793b00ab2158b
- https://git.kernel.org/stable/c/059a49aa2e25c58f90b50151f109dd3c4cdb3a47
- https://git.kernel.org/stable/c/28e9a64638cd16bc1ecac9ff74ffeacb9fb652de
- https://git.kernel.org/stable/c/43a71c1b4b3a6d4db857b1435d271540279fc7de
- https://git.kernel.org/stable/c/539a2b995a4ed93125cb0efae0f793b00ab2158b
