CVE-2023-5345: Use-After-Free Vulnerability in the Linux Kernel's fs/smb/client Component Could Lead to Privilege Escalation

A high-severity vulnerability (CVE-2023-5345) has been discovered in the Linux kernel's fs/smb/client component. This use-after-free issue can be exploited to enable local privilege escalation, potentially leading to unauthorized system access and the manipulation of sensitive data. The flaw lies in an error within the smb3_fs_context_parse_param function, where the "ctx->password" was freed without being set to NULL. This can result in double-free, posing a considerable risk to system security.

An excerpt from the affect code fs/cifs/smb_direct.c

static int smb3_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param)
{
    ...
    if (strcmp(ctx->password, "ask") == ) {
        kfree_sensitive(ctx->password);
        ctx->password = NULL;
        ctx->password_len = ;
    }
    ...
}

As you can see from the above snippet, the ctx->password is freed using the kfree_sensitive() function. However, it's not being set to NULL afterward, which leads to the use-after-free vulnerability.

Mitigation

To resolve this vulnerability, users are strongly advised to upgrade their Linux kernel to a version that contains a patch for this issue. The patch can be found in commits e6e43b8aa7cd3c3af686cafc2e11819a886d705 and later. This commit ensures the ctx->password is set to NULL after being freed, effectively preventing the double-free issue.

Commit e6e43b8aa7cd3c3af686cafc2e11819a886d705

Exploit Details

The exploitation of this vulnerability could potentially allow a local attacker to escalate their privileges on the affected system. Gaining elevated privileges may enable the attacker to execute arbitrary code, manipulate sensitive data, and potentially compromise the entire system. It's important to note that this vulnerability can be exploited only by local users, meaning that remote attackers would first need to gain access to the system in some other way before being able to exploit this particular flaw.

Conclusion

In summary, CVE-2023-5345 is a use-after-free vulnerability in the Linux kernel's fs/smb/client component that could lead to local privilege escalation. We strongly recommend upgrading your Linux kernel to a version containing the patch found in commit e6e43b8aa7cd3c3af686cafc2e11819a886d705 or later. By staying up to date with security updates and following proper system administration practices, you can minimize the risk of being impacted by this and other vulnerabilities.

Timeline

Published on: 10/03/2023 03:15:09 UTC
Last modified on: 10/24/2023 17:51:46 UTC