Headline
CVE-2023-0210: CVE-2023-0210: Flaw in Linux Kernel Allows Unauthenticated remote DOS Attacks
A bug affects the Linux kernel’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems.
A security researcher has discovered that the Linux kernel is affected by a potentially serious vulnerability that can be exploited by a remote, unauthenticated attacker to launch denial-of-service (DoS) attacks.
Tracked as CVE-2023-0210, the bug affects the Linux kernel’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems. KSMBD is an open-source In-kernel CIFS/SMB3 server created by Namjae Jeon for Linux Kernel. It’s an implementation of SMB/CIFS protocol in kernel space for sharing files and IPC services over the network.
Exploiting the flaw requires sending malformed packets, respectively, to a targeted server, personal computer, tablet, or smartphone. The attack triggers “a heap overflow bug in ksmbd_decode_ntlmssp_auth_blob in which nt_len can be less than CIFS_ENCPWD_SIZE. This results in a negative blen argument for ksmbd_auth_ntlmv2, where it calls memcpy using blen on memory allocated by kmalloc(blen + CIFS_CRYPTO_KEY_SIZE). Note that CIFS_ENCPWD_SIZE is 16 and CIFS_CRYPTO_KEY_SIZE is 8. We believe this bug can only result in a remote DOS and not privilege escalation nor RCE, as the heap overflow occurs when blen is in range (-8, -1].”
The vulnerability exists due to the way versions 5.15-rc1 and later of the Linux kernel handle NTLMv2 authentication. Linux kernel developers haven’t released a patch. CVE-2023-0210 was proven to allow for remote panic in the OS immediately on the Ubuntu 20.04 HWE and 22.04 (both running on 5.15.0-56-generic).
Proof of concept code is currently available online, which somewhat increases the immediate danger to device owners. It’s recommended that users update Linux servers immediately and apply the patches for other distros as soon as they are available.
Related news
Ubuntu Security Notice 6096-1 - It was discovered that some AMD x86-64 processors with SMT enabled could speculatively execute instructions using a return address from a sibling thread. A local attacker could possibly use this to expose sensitive information. Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service.
Ubuntu Security Notice 6091-1 - It was discovered that some AMD x86-64 processors with SMT enabled could speculatively execute instructions using a return address from a sibling thread. A local attacker could possibly use this to expose sensitive information. Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service.
Ubuntu Security Notice 6079-1 - It was discovered that some AMD x86-64 processors with SMT enabled could speculatively execute instructions using a return address from a sibling thread. A local attacker could possibly use this to expose sensitive information. Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service.
Ubuntu Security Notice 5987-1 - It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. It was discovered that a use-after-free vulnerability existed in the SGI GRU driver in the Linux kernel. A local attacker could possibly use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5982-1 - It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. It was discovered that a use-after-free vulnerability existed in the SGI GRU driver in the Linux kernel. A local attacker could possibly use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5915-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.