CVE-2023-52440

ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob()

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob()

If authblob->SessionKey.Length is bigger than session key
size(CIFS_KEY_SIZE), slub overflow can happen in key exchange codes.
cifs_arc4_crypt copy to session key array from SessionKey from client.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ksmbd: corrige el desbordamiento de slub en ksmbd_decode_ntlmssp_auth_blob() Si authblob->SessionKey.Length es mayor que el tamaño de la clave de sesión (CIFS_KEY_SIZE), puede ocurrir un desbordamiento de slub en los códigos de intercambio de claves. cifs_arc4_crypt copia a la matriz de claves de sesión desde SessionKey del cliente.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable.
The specific flaw exists within the processing of session keys. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the kernel.

*Credits: Pumpkin (@u1f383)

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-20 CVE Reserved
2024-02-21 CVE Published
2024-02-21 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (5)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/bd554ed4fdc3d38404a1c43d428432577573e809	2023-12-23
https://git.kernel.org/stable/c/30fd6521b2fbd9b767e438e31945e5ea3e3a2fba	2023-09-06
https://git.kernel.org/stable/c/7f1d6cb0eb6af3a8088dc24b7ddee9a9711538c4	2023-09-06
https://git.kernel.org/stable/c/ecd7e1c562cb08e41957fcd4b0e404de5ab38e20	2023-09-06
https://git.kernel.org/stable/c/4b081ce0d830b684fdf967abc3696d1261387254	2023-08-29

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.15.145 Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.145"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.1.52 Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.52"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.4.15 Search vendor "Linux" for product "Linux Kernel" and version " < 6.4.15"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.5.2 Search vendor "Linux" for product "Linux Kernel" and version " < 6.5.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.6 Search vendor "Linux" for product "Linux Kernel" and version " < 6.6"		en		Affected