Bug 2157927 (CVE-2023-0122) - CVE-2023-0122 kernel: NVME driver: null pointer dereference in drivers/nvme/target/auth.c
Summary: CVE-2023-0122 kernel: NVME driver: null pointer dereference in drivers/nvme/t...
Alias: CVE-2023-0122
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2157928
Blocks: 2152852
TreeView+ depends on / blocked
Reported: 2023-01-03 15:25 UTC by Alex
Modified: 2023-01-17 17:28 UTC (History)
38 users (show)

Fixed In Version: Linux kernel 6.0-rc4
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference vulnerability was found in nvmet_setup_auth() in the Linux kernel's NVMe functionality. This issue allows an attacker to perform a Pre-Auth Denial of Service (DoS) attack on a remote machine.
Clone Of:
Last Closed: 2023-01-05 03:01:16 UTC

Attachments (Terms of Use)

Description Alex 2023-01-03 15:25:22 UTC
The Kernel flaw in the NVME found. There is a NULL pointer dereference in nvmet_setup_auth() introduced in commit db1312dd95488b5e6ff362ff66fcf953a46b1821 causing a DoS. A remote user can cause deny of service with the steps like these:

1. After configuring the NVME system, configure a bad 'dhchap_ctrl_key' on an allowed host (for example, 'DHHC-1:AAAA:').

2. From a remote client, use the nvme-cli util for easy communication to the remote target and run 'nvme connect' (to the remote target) to cause a Remote DoS on the target.

3. To bypass the Authentication feature (if you want to exploit the vulnerability from an unauthorized client), you can simply pass to the 'nvme connect' command the allowed client's NQN. To obtain the allowed NQN, a simple network sniffing could be done.

To summarize - a NULL Pointer Dereference vulnerability in the nvmet kernel module, in drivers/nvme/target/auth.c.


Comment 1 Alex 2023-01-03 15:26:18 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2157928]

Comment 3 Alex 2023-01-15 11:24:21 UTC
Based on comment
, the CVE not required for this one, because existed in development code only ("Versions affected - v6.0-rc1 to v6.0-rc3 (fixed in v6.0-rc4)").

Comment 4 Alex 2023-01-17 10:02:47 UTC
Keeping CVE. Based on comment by reporter:
"I firmly believe we should keep the CVE assigned and further encourage
similar assignments. I’ll try to explain why.
1. As a security researcher whose purpose is not to sell 0-day
vulnerabilities, the only benefit of reporting them, except for fixing
them, is getting CVEs assigned to them. Thus there is no reason for me
to wait and report them when a major kernel version is released.
2. Saying that “… so should not be in any release” isn’t entirely
correct. Although the vulnerability is in a release candidates
versions of the Linux kernel, it doesn’t mean that we can not see
these kernels in production servers since these kernel versions are
fully tested, work, and are available for the public."

Note You need to log in before you can comment on or make changes to this bug.