CVE-2024-56372
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's TUN/TAP driver allows local attackers to cause a kernel panic (denial of service) by triggering a malformed skb (socket buffer) during packet processing. This affects systems using TUN/TAP interfaces, particularly virtualization and container environments. The vulnerability requires local access to the system.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially disrupting all services on the affected host.
Likely Case
Local denial of service through kernel crash, requiring system reboot to restore functionality.
If Mitigated
Minimal impact if TUN/TAP interfaces are disabled or unused, or if proper access controls prevent local users from accessing these interfaces.
🎯 Exploit Status
Exploitation requires local access and ability to interact with TUN/TAP interfaces. The syzkaller fuzzer discovered this issue, suggesting it could be triggered with crafted input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 4f393ea1e2f9c3b646d00572dd92c48b1869c65f, efe74dd58a72bd987b158142c904b7ef2ad132e2
Vendor Advisory: https://git.kernel.org/stable/c/429fde2d81bcef0ebab002215358955704586457
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing fixes 2. Reboot system 3. Verify kernel version with 'uname -r'
🔧 Temporary Workarounds
Disable TUN/TAP module
linuxPrevent loading of the tun kernel module if not required
echo 'blacklist tun' > /etc/modprobe.d/blacklist-tun.conf
rmmod tun
Restrict TUN/TAP device access
linuxLimit access to /dev/net/tun device to trusted users only
chmod 600 /dev/net/tun
chown root:root /dev/net/tun
🧯 If You Can't Patch
- Disable TUN/TAP interfaces if not required for system functionality
- Implement strict access controls to prevent unauthorized users from accessing TUN/TAP devices
🔍 How to Verify
Check if Vulnerable:
Check if tun module is loaded: 'lsmod | grep tun' and check kernel version against affected rangeCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is newer than fix commits: 'uname -r' and check kernel changelog📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/kern.log or dmesg
- System crash/reboot events
- Process crashes related to tun or network operations
Network Indicators:
- Sudden loss of network connectivity on affected host
- Service disruptions on systems using TUN/TAP interfaces
SIEM Query:
source="kernel" AND ("kernel panic" OR "Oops" OR "BUG") AND ("tun" OR "skbuff" OR "net/tun")