Bug 2157927 (CVE-2023-0122)

Summary: CVE-2023-0122 kernel: NVME driver: null pointer dereference in drivers/nvme/target/auth.c
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, bskeggs, ddepaula, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jfaracco, jferlan, jforbes, jglisse, joe.lawrence, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, rvrbovsk, scweaver, steved, walters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Linux kernel 6.0-rc4 Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference vulnerability was found in nvmet_setup_auth() in the Linux kernel's NVMe functionality. This issue allows an attacker to perform a Pre-Auth Denial of Service (DoS) attack on a remote machine.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-05 03:01:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2157928    
Bug Blocks: 2152852    

Description Alex 2023-01-03 15:25:22 UTC 
The Kernel flaw in the NVME found. There is a NULL pointer dereference in nvmet_setup_auth() introduced in commit db1312dd95488b5e6ff362ff66fcf953a46b1821 causing a DoS. A remote user can cause deny of service with the steps like these:


1. After configuring the NVME system, configure a bad 'dhchap_ctrl_key' on an allowed host (for example, 'DHHC-1:AAAA:').

2. From a remote client, use the nvme-cli util for easy communication to the remote target and run 'nvme connect' (to the remote target) to cause a Remote DoS on the target.

3. To bypass the Authentication feature (if you want to exploit the vulnerability from an unauthorized client), you can simply pass to the 'nvme connect' command the allowed client's NQN. To obtain the allowed NQN, a simple network sniffing could be done.


To summarize - a NULL Pointer Dereference vulnerability in the nvmet kernel module, in drivers/nvme/target/auth.c.


References:
https://lore.kernel.org/linux-nvme/20220823161255.GA21462@lst.de/T/#t
https://lore.kernel.org/linux-nvme/20220831045908.GC18042@lst.de/T/#u
Comment 1 Alex 2023-01-03 15:26:18 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2157928]
Comment 3 Alex 2023-01-15 11:24:21 UTC 
Based on comment
https://www.openwall.com/lists/oss-security/2023/01/13/1
, the CVE not required for this one, because existed in development code only ("Versions affected - v6.0-rc1 to v6.0-rc3 (fixed in v6.0-rc4)").
Comment 4 Alex 2023-01-17 10:02:47 UTC 
Keeping CVE. Based on comment by reporter:
"I firmly believe we should keep the CVE assigned and further encourage
similar assignments. I’ll try to explain why.
1. As a security researcher whose purpose is not to sell 0-day
vulnerabilities, the only benefit of reporting them, except for fixing
them, is getting CVEs assigned to them. Thus there is no reason for me
to wait and report them when a major kernel version is released.
2. Saying that “… so should not be in any release” isn’t entirely
correct. Although the vulnerability is in a release candidates
versions of the Linux kernel, it doesn’t mean that we can not see
these kernels in production servers since these kernel versions are
fully tested, work, and are available for the public."