Alta Aware — 934: Linux kernel IPv6 hash collisions possible on the Alta Cloud Connector

Release Date

5th of January 2024.

Overview

A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.

Alta Cloud Connectors had IPv6 enabled. IPv6 has since been disabled at the operating system level.

Affected Products

• Alta Aware:
  • All Stable upgrade channel versions before 6.4.5 .
  • All Beta upgrade channel versions before 6.4.0 .

Unaffected Products

• Alta Aware:

  • All Stable upgrade channel versions after and including 6.4.5 .
  • All Beta upgrade channel versions after and including 6.4.0 .

• Alta cameras: all versions.

• Alta Cloud: all versions.

Resolution

This issue has been fixed in Alta Aware Beta upgrade channel version 6.4.0 and Stable upgrade channel version 6.4.5 .

It is strongly recommended that all installations running an affected version are upgraded to the latest release as soon as possible. Releases are available to download through the Alta Aware User Interface.

Vulnerability Information

• CVE: CVE-2023-1206
• CVSSv3 score: 5.7
• CVSSv3 vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue found and reported by Red Hat, Inc.

Disclosure Timeline

• 30/06/2023 Issue found
• 17/10/2023 Root cause established
• 17/10/2023 Fix identified
• 09/11/2023 Patched Alta Aware (Beta upgrade channel) released
• 12/12/2023 Patched Alta Aware (Stable upgrade channel) released
• 05/01/2024 Vulnerability publicly disclosed