CVE-2024-0565 - An Out-of-Bounds Memory Read Flaw in the Linux Kernel SMB Client
A security vulnerability, known as CVE-2024-0565, was recently discovered in the Linux Kernel SMB (Server Message Block) Client. This post will deep-dive into the details of the vulnerability, including sample code snippets, links to original references, and potential exploits. This issue affects the receive_encrypted_standard function in fs/smb/client/smb2ops.c in the SMB client sub-component in the Linux Kernel, leading to an out-of-bounds memory read flaw due to an integer underflow in the memcpy length and causing a denial of service (DoS).
Vulnerability Details
The root cause of the CVE-2024-0565 vulnerability is an integer underflow that occurs in the receive_encrypted_standard function in the fs/smb/client/smb2ops.c file in the Linux Kernel's SMB Client sub-component. The function is responsible for handling encrypted SMB packets.
The following code snippet shows the relevant section of the function where the vulnerability occurs
/* ... */
int smb2_receive_encrypted_standard(struct TCP_Server_Info *server,
struct mid_q_entry **mid)
{
int length;
int full_len;
unsigned char *buf = server->bigbuf;
for (;;) {
length = server->ops->read_recv(server, (unsigned int *)(buf + 4), 4, 1);
if (length != 4) {
cifs_dbg(VFS, "Failed to read length, returned %d\n", length);
return -EIO;
}
/* ... */
full_len = be32_to_cpu(*(__be32 *)(buf + 4));
if (full_len + 4 <= length) {
cifs_dbg(VFS, "Received invalid length x%x\n", full_len);
return -EIO;
}
memcpy(server->rsp_buf,
buf + full_len + 4,
length - (full_len + 4));
/* ... */
}
In this code, the variable length corresponds to the total length of the received SMB packet, and full_len represents the length of metadata in the packet. The integer underflow occurs when full_len is larger than or equal to length. In such a case, the calculation length - (full_len + 4) results in a negative value for the memcpy length parameter.
This could lead to an out-of-bounds memory read as the memcpy function tries to read beyond the bounds of the buffer, causing a DoS condition in the affected system.
For more information on the vulnerability and its severity, you can refer to the following resources
1. Official CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0565
2. Linux Kernel GIT Repository - Original Patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e6426da3842671d66aa493b862bdbd55754204c
Exploit Details
To exploit the CVE-2024-0565 vulnerability, an attacker can craft a specially designed SMB packet that has a larger metadata length than the actual packet length and send it to a vulnerable SMB server. This would trigger the out-of-bounds memory read, leading to the DoS condition.
However, exploiting this vulnerability requires prior knowledge of the target system's network configuration and the ability to craft malicious SMB packets. Additionally, modern intrusion detection systems (IDS) can identify malicious packets and block them, reducing the impact of such exploits.
Conclusion
CVE-2024-0565 highlights the importance of timely security patching and maintaining up-to-date systems. Linux vendors have already released patches for the vulnerability, and users are strongly encouraged to update their Linux Kernel.
Always monitor security advisories and bug trackers to stay informed about the latest security threats and vulnerabilities. This will allow you to take proactive steps to protect your systems and ensure the confidentiality, integrity, and availability of your data.
Timeline
Published on: 01/15/2024 20:15:43 UTC
Last modified on: 03/19/2024 23:15:08 UTC