CVE-2022-0669

A flaw was found in dpdk. This flaw allows a malicious vhost-user master to attach an unexpected number of fds as ancillary data to VHOST_USER_GET_INFLIGHT_FD / VHOST_USER_SET_INFLIGHT_FD messages that are not closed by the vhost-user slave. By sending such messages continuously, the vhost-user master exhausts available fd in the vhost-user slave process, leading to a denial of service.

Weakness

The product does not properly control the allocation and maintenance of a limited resource.

Affected Software

Potential Mitigations

• Mitigation of resource exhaustion attacks requires that the target system either:

• The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

• The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/147.html
• https://cwe.mitre.org/data/definitions/227.html
• https://cwe.mitre.org/data/definitions/492.html

References

• https://access.redhat.com/security/cve/CVE-2022-0669
• https://bugs.dpdk.org/show_bug.cgi?id=922
• https://bugzilla.redhat.com/show_bug.cgi?id=2055793
• https://github.com/DPDK/dpdk/commit/af74f7db384ed149fe42b21dbd7975f8a54ef227
• https://security-tracker.debian.org/tracker/CVE-2022-0669
• https://access.redhat.com/security/cve/CVE-2022-0669
• https://bugs.dpdk.org/show_bug.cgi?id=922
• https://bugzilla.redhat.com/show_bug.cgi?id=2055793
• https://github.com/DPDK/dpdk/commit/af74f7db384ed149fe42b21dbd7975f8a54ef227
• https://security-tracker.debian.org/tracker/CVE-2022-0669