CVE-2023-32257

Description

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP and SMB2_LOGOFF commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.

CVSS Metrics

• v3.1•HIGH•Score: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.12%• Percentile: 31%

Techniques & Countermeasures

• CWE-667•Improper Locking

  The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

• CWE-362•Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Affected Systems

• linux•linux_kernel

  ≥ 5.15, < 5.15.145 | ≥ 5.16, < 6.1.29 | ≥ 6.2, < 6.2.16 | ≥ 6.3, < 6.3.2

• netapp•h300s_firmware

  na

• netapp•h410s_firmware

  na

• netapp•h500s_firmware

  na

• netapp•h700s_firmware

  na

• netapp•solidfire_\&_hci_storage_node

  na

References (4)

• https://access.redhat.com/security/cve/CVE-2023-32257
• https://bugzilla.redhat.com/show_bug.cgi?id=2219806
• https://security.netapp.com/advisory/ntap-20230915-0011/
• https://www.zerodayinitiative.com/advisories/ZDI-CAN-20596/