CVE-2024-38558: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix overwriting ct original tuple for ICMPv6 OVS_PACKET_CMD_EXECUTE has 3 main attributes: - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format. - OVS_PACKET_ATTR_PACKET - Binary packet content. - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet. OVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure with the metadata like conntrack state, input port, recirculation id, etc. Then the packet itself gets parsed to populate the rest of the keys from the packet headers. Whenever the packet parsing code starts parsing the ICMPv6 header, it first zeroes out fields in the key corresponding to Neighbor Discovery information even if it is not an ND packet. It is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares the space between 'nd' and 'ct_orig' that holds the original tuple conntrack metadata parsed from the OVS_PACKET_ATTR_KEY. ND packets should not normally have conntrack state, so it's fine to share the space, but normal ICMPv6 Echo packets or maybe other types of ICMPv6 can have the state attached and it should not be overwritten. The issue results in all but the last 4 bytes of the destination address being wiped from the original conntrack tuple leading to incorrect packet matching and potentially executing wrong actions in case this packet recirculates within the datapath or goes back to userspace. ND fields should not be accessed in non-ND packets, so not clearing them should be fine. Executing memset() only for actual ND packets to avoid the issue. Initializing the whole thing before parsing is needed because ND packet may not contain all the options. The issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't affect packets entering OVS datapath from network interfaces, because in this case CT metadata is populated from skb after the packet is already parsed.
AI Analysis
Technical Summary
CVE-2024-38558 is a vulnerability identified in the Linux kernel's Open vSwitch (OVS) implementation, specifically affecting the packet execution path (OVS_PACKET_CMD_EXECUTE). Open vSwitch is a multilayer virtual switch commonly used in virtualized environments and cloud infrastructure for network automation and management. The vulnerability arises from improper handling of ICMPv6 packet parsing within the OVS code. When parsing ICMPv6 headers, the code zeroes out fields related to Neighbor Discovery (ND) information in a union structure that overlaps with the original connection tracking (conntrack) tuple metadata. While ND packets typically do not have conntrack state, other ICMPv6 packets such as Echo requests can have valid conntrack metadata. The flaw causes all but the last 4 bytes of the destination address in the original conntrack tuple to be wiped out incorrectly. This leads to erroneous packet matching and potentially incorrect execution of actions when packets recirculate within the datapath or are sent back to userspace. The vulnerability is limited to the OVS_PACKET_CMD_EXECUTE path and does not affect packets entering the OVS datapath from network interfaces, where conntrack metadata is populated differently. The root cause is the indiscriminate clearing of ND fields for all ICMPv6 packets rather than only for actual ND packets. The fix involves conditionally zeroing these fields only for true ND packets, preserving conntrack metadata for other ICMPv6 types. This vulnerability could cause network misbehavior, incorrect firewall or routing decisions, and potential security policy bypasses in environments relying on OVS for packet processing. No known exploits are reported in the wild as of now, and no CVSS score has been assigned.
Potential Impact
For European organizations, especially those operating large-scale virtualized environments, cloud platforms, or software-defined networking (SDN) infrastructures that utilize Open vSwitch on Linux, this vulnerability poses a risk of network traffic misclassification. Incorrect conntrack metadata can lead to improper packet handling, potentially allowing unauthorized traffic flows or disrupting legitimate communications. This could impact confidentiality by allowing unintended data flows, integrity by misrouting or modifying packets, and availability by causing network disruptions or degraded performance. Organizations relying on OVS for critical network segmentation, firewalling, or load balancing may experience policy enforcement failures, increasing their exposure to lateral movement or data exfiltration attempts. Given the widespread use of Linux and OVS in European data centers, cloud providers, and telecom infrastructure, the vulnerability could affect a broad range of sectors including finance, government, healthcare, and telecommunications. However, exploitation requires crafted ICMPv6 traffic and conditions where packets are processed via the OVS_PACKET_CMD_EXECUTE path, which may limit the attack surface somewhat. Nonetheless, the potential for subtle network behavior anomalies and security policy bypasses warrants prompt attention.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels and Open vSwitch implementations to versions that include the patch for CVE-2024-38558. Since the vulnerability is specific to the OVS_PACKET_CMD_EXECUTE path, organizations should audit their OVS configurations and usage patterns to identify if this code path is actively used. Network administrators should monitor ICMPv6 traffic patterns for anomalies and consider implementing strict filtering or rate limiting of ICMPv6 packets, especially those not related to Neighbor Discovery, to reduce exposure. Additionally, organizations should review their conntrack and firewall rules to ensure they do not rely solely on metadata that could be corrupted by this vulnerability. Employing network segmentation and zero-trust principles can limit the impact of potential misrouted packets. For environments where immediate patching is not feasible, temporarily disabling or restricting features that invoke the OVS_PACKET_CMD_EXECUTE path could be considered, although this may impact network functionality. Finally, maintaining robust network monitoring and anomaly detection capabilities will help identify any exploitation attempts or unexpected network behavior stemming from this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-38558: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix overwriting ct original tuple for ICMPv6 OVS_PACKET_CMD_EXECUTE has 3 main attributes: - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format. - OVS_PACKET_ATTR_PACKET - Binary packet content. - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet. OVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure with the metadata like conntrack state, input port, recirculation id, etc. Then the packet itself gets parsed to populate the rest of the keys from the packet headers. Whenever the packet parsing code starts parsing the ICMPv6 header, it first zeroes out fields in the key corresponding to Neighbor Discovery information even if it is not an ND packet. It is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares the space between 'nd' and 'ct_orig' that holds the original tuple conntrack metadata parsed from the OVS_PACKET_ATTR_KEY. ND packets should not normally have conntrack state, so it's fine to share the space, but normal ICMPv6 Echo packets or maybe other types of ICMPv6 can have the state attached and it should not be overwritten. The issue results in all but the last 4 bytes of the destination address being wiped from the original conntrack tuple leading to incorrect packet matching and potentially executing wrong actions in case this packet recirculates within the datapath or goes back to userspace. ND fields should not be accessed in non-ND packets, so not clearing them should be fine. Executing memset() only for actual ND packets to avoid the issue. Initializing the whole thing before parsing is needed because ND packet may not contain all the options. The issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't affect packets entering OVS datapath from network interfaces, because in this case CT metadata is populated from skb after the packet is already parsed.
AI-Powered Analysis
Technical Analysis
CVE-2024-38558 is a vulnerability identified in the Linux kernel's Open vSwitch (OVS) implementation, specifically affecting the packet execution path (OVS_PACKET_CMD_EXECUTE). Open vSwitch is a multilayer virtual switch commonly used in virtualized environments and cloud infrastructure for network automation and management. The vulnerability arises from improper handling of ICMPv6 packet parsing within the OVS code. When parsing ICMPv6 headers, the code zeroes out fields related to Neighbor Discovery (ND) information in a union structure that overlaps with the original connection tracking (conntrack) tuple metadata. While ND packets typically do not have conntrack state, other ICMPv6 packets such as Echo requests can have valid conntrack metadata. The flaw causes all but the last 4 bytes of the destination address in the original conntrack tuple to be wiped out incorrectly. This leads to erroneous packet matching and potentially incorrect execution of actions when packets recirculate within the datapath or are sent back to userspace. The vulnerability is limited to the OVS_PACKET_CMD_EXECUTE path and does not affect packets entering the OVS datapath from network interfaces, where conntrack metadata is populated differently. The root cause is the indiscriminate clearing of ND fields for all ICMPv6 packets rather than only for actual ND packets. The fix involves conditionally zeroing these fields only for true ND packets, preserving conntrack metadata for other ICMPv6 types. This vulnerability could cause network misbehavior, incorrect firewall or routing decisions, and potential security policy bypasses in environments relying on OVS for packet processing. No known exploits are reported in the wild as of now, and no CVSS score has been assigned.
Potential Impact
For European organizations, especially those operating large-scale virtualized environments, cloud platforms, or software-defined networking (SDN) infrastructures that utilize Open vSwitch on Linux, this vulnerability poses a risk of network traffic misclassification. Incorrect conntrack metadata can lead to improper packet handling, potentially allowing unauthorized traffic flows or disrupting legitimate communications. This could impact confidentiality by allowing unintended data flows, integrity by misrouting or modifying packets, and availability by causing network disruptions or degraded performance. Organizations relying on OVS for critical network segmentation, firewalling, or load balancing may experience policy enforcement failures, increasing their exposure to lateral movement or data exfiltration attempts. Given the widespread use of Linux and OVS in European data centers, cloud providers, and telecom infrastructure, the vulnerability could affect a broad range of sectors including finance, government, healthcare, and telecommunications. However, exploitation requires crafted ICMPv6 traffic and conditions where packets are processed via the OVS_PACKET_CMD_EXECUTE path, which may limit the attack surface somewhat. Nonetheless, the potential for subtle network behavior anomalies and security policy bypasses warrants prompt attention.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels and Open vSwitch implementations to versions that include the patch for CVE-2024-38558. Since the vulnerability is specific to the OVS_PACKET_CMD_EXECUTE path, organizations should audit their OVS configurations and usage patterns to identify if this code path is actively used. Network administrators should monitor ICMPv6 traffic patterns for anomalies and consider implementing strict filtering or rate limiting of ICMPv6 packets, especially those not related to Neighbor Discovery, to reduce exposure. Additionally, organizations should review their conntrack and firewall rules to ensure they do not rely solely on metadata that could be corrupted by this vulnerability. Employing network segmentation and zero-trust principles can limit the impact of potential misrouted packets. For environments where immediate patching is not feasible, temporarily disabling or restricting features that invoke the OVS_PACKET_CMD_EXECUTE path could be considered, although this may impact network functionality. Finally, maintaining robust network monitoring and anomaly detection capabilities will help identify any exploitation attempts or unexpected network behavior stemming from this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-18T19:36:34.921Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2976
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 11:12:10 AM
Last updated: 8/4/2025, 6:35:04 AM
Views: 13
Related Threats
CVE-2025-8840: Improper Authorization in jshERP
MediumCVE-2025-8853: CWE-290 Authentication Bypass by Spoofing in 2100 Technology Official Document Management System
CriticalCVE-2025-8838: Improper Authentication in WinterChenS my-site
MediumCVE-2025-8837: Use After Free in JasPer
MediumCVE-2025-8661: Vulnerability in Broadcom Symantec PGP Encryption
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.