PT-2023-31041 · Katran · Katran

Published

2023-11-28

Updated

2023-12-04

CVE-2023-49062

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Katran versions prior to commit 6a03106ac1eab39d0303662963589ecb2374c97f

Description The issue allows Katran to disclose non-initialized kernel memory as part of an IP header. This occurs in IPv4 encapsulation and ICMP (v4) Too Big packet generation. After a bpf xdp adjust head call, the Katran code fails to initialize the Identification field for the IPv4 header, resulting in the writing of kernel memory content in that field of the IP header.

Recommendations For all versions prior to commit 6a03106ac1eab39d0303662963589ecb2374c97f, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the use of IPv4 encapsulation and ICMP (v4) Too Big packet generation until a patch is available.

Fix

Improper Initialization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-665

Related Identifiers

CVE-2023-49062

Affected Products

Katran

PT-2023-31041 · Katran · Katran

CVE-2023-49062

Weakness Enumeration

Related Identifiers

Affected Products

References · 6