Bug 2385852 (CVE-2023-32251)

Summary: CVE-2023-32251 kernel: ksmbd brute force delay bypass via asynchronous requests
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability has been identified in the Linux kernel's ksmbd component (kernel SMB/CIFS server). A security control designed to prevent dictionary attacks, which introduces a 5-second delay during session setup, can be bypassed through the use of asynchronous requests. This bypass negates the intended anti-brute-force protection, potentially allowing attackers to conduct dictionary attacks more efficiently against user credentials or other authentication mechanisms.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-07-31 20:10:10 UTC 
This vulnerability allows remote attackers to create a brute force condition on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable.

The specific flaw exists within the handling of asynchronous connections. The issue results from the lack of protection of an authentication mechanism. An attacker can leverage this vulnerability to brute force the credentials on the system.