2157927 – (CVE-2023-0122) CVE-2023-0122 kernel: NVME driver: null pointer dereference in drivers/nvme/target/auth.c

Bug 2157927 (CVE-2023-0122) - CVE-2023-0122 kernel: NVME driver: null pointer dereference in drivers/nvme/target/auth.c

Summary: CVE-2023-0122 kernel: NVME driver: null pointer dereference in drivers/nvme/t...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2023-0122
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2157928
Blocks:	2152852
TreeView+	depends on / blocked

Reported:	2023-01-03 15:25 UTC by Alex
Modified:	2023-01-17 17:28 UTC (History)
CC List:	38 users (show)
Fixed In Version:	Linux kernel 6.0-rc4
Doc Type:	If docs needed, set a value
Doc Text:	A NULL pointer dereference vulnerability was found in nvmet_setup_auth() in the Linux kernel's NVMe functionality. This issue allows an attacker to perform a Pre-Auth Denial of Service (DoS) attack on a remote machine.
Clone Of:
Environment:
Last Closed:	2023-01-05 03:01:16 UTC
Embargoed:

Attachments	(Terms of Use)

Description Alex 2023-01-03 15:25:22 UTC

The Kernel flaw in the NVME found. There is a NULL pointer dereference in nvmet_setup_auth() introduced in commit db1312dd95488b5e6ff362ff66fcf953a46b1821 causing a DoS. A remote user can cause deny of service with the steps like these:


1. After configuring the NVME system, configure a bad 'dhchap_ctrl_key' on an allowed host (for example, 'DHHC-1:AAAA:').

2. From a remote client, use the nvme-cli util for easy communication to the remote target and run 'nvme connect' (to the remote target) to cause a Remote DoS on the target.

3. To bypass the Authentication feature (if you want to exploit the vulnerability from an unauthorized client), you can simply pass to the 'nvme connect' command the allowed client's NQN. To obtain the allowed NQN, a simple network sniffing could be done.


To summarize - a NULL Pointer Dereference vulnerability in the nvmet kernel module, in drivers/nvme/target/auth.c.


References:
https://lore.kernel.org/linux-nvme/20220823161255.GA21462@lst.de/T/#t
https://lore.kernel.org/linux-nvme/20220831045908.GC18042@lst.de/T/#u

Comment 1 Alex 2023-01-03 15:26:18 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2157928]

Comment 3 Alex 2023-01-15 11:24:21 UTC

Based on comment
https://www.openwall.com/lists/oss-security/2023/01/13/1
, the CVE not required for this one, because existed in development code only ("Versions affected - v6.0-rc1 to v6.0-rc3 (fixed in v6.0-rc4)").

Comment 4 Alex 2023-01-17 10:02:47 UTC

Keeping CVE. Based on comment by reporter:
"I firmly believe we should keep the CVE assigned and further encourage
similar assignments. I’ll try to explain why.
1. As a security researcher whose purpose is not to sell 0-day
vulnerabilities, the only benefit of reporting them, except for fixing
them, is getting CVEs assigned to them. Thus there is no reason for me
to wait and report them when a major kernel version is released.
2. Saying that “… so should not be in any release” isn’t entirely
correct. Although the vulnerability is in a release candidates
versions of the Linux kernel, it doesn’t mean that we can not see
these kernels in production servers since these kernel versions are
fully tested, work, and are available for the public."

Note You need to log in before you can comment on or make changes to this bug.

acaringi
adscvr
airlied
alciregi
bhu
bskeggs
ddepaula
dhoward
dvlasenk
fhrbata
hdegoede
hkrzesin
hpa
jarod
jarodwilson
jfaracco
jferlan
jforbes
jglisse
joe.lawrence
josef
jshortt
jstancek
jwboyer
kcarcia
kernel-maint
kernel-mgr
lgoncalv
linville
lzampier
masami256
mchehab
nmurray
ptalbert
rvrbovsk
scweaver
steved
walters