Bug 2163499 (CVE-2023-0210) - CVE-2023-0210 Kernel: Heap overflow in ksmbd_decode_ntlmssp_auth_blob cause remote DOS
Summary: CVE-2023-0210 Kernel: Heap overflow in ksmbd_decode_ntlmssp_auth_blob cause r...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2023-0210
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2159928
TreeView+ depends on / blocked
 
Reported: 2023-01-23 17:36 UTC by Rohit Keshri
Modified: 2023-05-31 15:59 UTC (History)
37 users (show)

Fixed In Version: Kernel 6.2 RC4
Clone Of:
Environment:
Last Closed: 2023-01-25 17:22:16 UTC
Embargoed:

Attachments (Terms of Use)

Description Rohit Keshri 2023-01-23 17:36:53 UTC 
A heap overflow bug in ksmbd_decode_ntlmssp_auth_blob in which nt_len can be less than CIFS_ENCPWD_SIZE. This results in a negative blen argument for ksmbd_auth_ntlmv2, where it calls memcpy using blen on memory allocated by kmalloc(blen + CIFS_CRYPTO_KEY_SIZE). Note that CIFS_ENCPWD_SIZE is 16 and CIFS_CRYPTO_KEY_SIZE is 8. We believe this bug can only result in a remote DOS and not privilege escalation nor RCE, as the heap overflow occurs when blen is in range (-8, -1].”

Reference:
https://securityonline.info/cve-2023-0210-flaw-in-linux-kernel-allows-unauthenticated-remote-dos-attacks/
https://www.spinics.net/lists/stable-commits/msg282893.html
Comment 2 Rohit Keshri 2023-01-23 17:49:45 UTC 
There was no shipped kernel version were seen affected with this problem. These files are not built in our source code.
Comment 4 Product Security DevOps Team 2023-01-25 17:22:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0210
Note You need to log in before you can comment on or make changes to this bug.