CVE-2022-36522
Description
The netwatch process suffers from an assertion failure vulnerability. There is a reachable assertion in the netwatch process, by sending a crafted packet, an authenticated remote user can crash the netwatch process due to assertion failure.
Against stable 6.47, the poc resulted in the following crash dump.
# cat /rw/logs/backtrace.log
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0: /ram/pckg/advanced-tools/nova/bin/netwatch
2020.06.29-14:27:25.52@0: --- signal=6 --------------------------------------------
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0: eip=0x776b855b eflags=0x00000246
2020.06.29-14:27:25.52@0: edi=0xffffffff esi=0x776c0200 ebp=0x7feea6a0 esp=0x7feea698
2020.06.29-14:27:25.52@0: eax=0x00000000 ebx=0x000000b8 ecx=0x000000b8 edx=0x00000006
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0: maps:
2020.06.29-14:27:25.52@0: 08048000-0804d000 r-xp 00000000 00:10 14 /ram/pckg/advanced-tools/nova/bin/netwatch
2020.06.29-14:27:25.52@0: 7768a000-776bf000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so
2020.06.29-14:27:25.52@0: 776c3000-776dd000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1
2020.06.29-14:27:25.52@0: 776de000-776ed000 r-xp 00000000 00:0c 945 /lib/libuc++.so
2020.06.29-14:27:25.52@0: 776ee000-7773a000 r-xp 00000000 00:0c 947 /lib/libumsg.so
2020.06.29-14:27:25.52@0: 77740000-77747000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0: stack: 0x7feeb000 - 0x7feea698
2020.06.29-14:27:25.52@0: 00 00 6c 77 00 00 6c 77 d8 a6 ee 7f 77 40 6b 77 06 00 00 00 00 02 6c 77 20 00 00 00 00 00 00 00
2020.06.29-14:27:25.52@0: bc b0 ee 7f 38 a7 ee 7f d4 a6 ee 7f f4 aa 73 77 b8 a6 ee 7f f4 aa 73 77 bc b0 ee 7f ff ff ff ff
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0: code: 0x776b855b
2020.06.29-14:27:25.52@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7 d8Affected Version
This vulnerability was initially found in stable 6.46.2, the stable version 6.48.3 also suffered from this vulnerability. When tested against the latest stable version 6.49.6, it turned out that this vulnerability was fixed.
Timeline
- 2021/03/01 - reported the vulnerability to the vendor
- 2021/03/18 - vendor reproduced and confirmed the vulnerability
- 2022/08/27 - CVE was assigned