CVE-2023-32250

Description

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.

CVSS Metrics

• v3.1•CRITICAL•Score: 9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
• v3.1•HIGH•Score: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.11%• Percentile: 30%

Techniques & Countermeasures

• CWE-362•Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Affected Systems

• linux•linux_kernel

  ≥ 5.15, < 5.15.145 | ≥ 5.16, < 6.1.29 | ≥ 6.2, < 6.2.16 | ≥ 6.3, < 6.3.2

• netapp•h300s_firmware

  na

• netapp•h410s_firmware

  na

• netapp•h500s_firmware

  na

• netapp•h700s_firmware

  na

• netapp•hci

  na

• netapp•hci_storage_nodes

  na

References (4)

• https://access.redhat.com/security/cve/CVE-2023-32250
• https://bugzilla.redhat.com/show_bug.cgi?id=2208849
• https://www.zerodayinitiative.com/advisories/ZDI-23-698/
• https://security.netapp.com/advisory/ntap-20230824-0004/