CVE-2024-47678

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.58

Description The issue concerns the order of rate limits for ICMP messages in the Linux kernel. To avoid side-channel attacks, the per destination check needs to be applied first. The patch changes the order of rate limiters, applying the host wide ratelimit and then the per destination ratelimit. This ensures the host wide ratelimit remains effective in keeping the inetpeer tree small, even under DDOS attacks. The icmp global allow() function checks the host wide limit, and credits are consumed by icmp global consume() if prior operations succeed. The per destination limit is checked and updated, potentially adding a new node to the inetpeer tree.

Recommendations For Linux kernel versions prior to 6.6.58, upgrade to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider restricting access to ICMP messages to minimize the risk of exploitation. Avoid using the icmp global allow() function until the issue is resolved. Restrict access to the per destination ratelimit to minimize the risk of side-channel attacks.