CVE-2024-26980: Linux Kernel Vulnerability in ksmbd - Slab-Out-of-Bounds Resolved

A critical vulnerability (CVE-2024-26980) was recently patched in the Linux kernel, specifically in the ksmbd (Kernel SMB3 server) component. The issue revolved around a slab-out-of-bounds vulnerability in the smb2_allocate_rsp_buf() function. Exploiting this vulnerability could lead to serious security implications, such as unauthorized access, data leaks, or even remote code execution.

In this article, we will explore the details of the vulnerability, its associated exploit, the recent patch that has been issued, and the recommendations for users and administrators to address this issue.

Background

KSMBD is a kernel module that provides SMB (Server Message Block) server functionality to the file systems. SMB is a network protocol that enables file sharing and access to remote printers, among other resources. This protocol is widely used to enable proper functioning of the Windows operating network environment.

Vulnerability Details

The vulnerability was discovered and reported in the Linux kernel's KSMBD component, specifically in the function smb2_allocate_rsp_buf().

When the ->ProtocolId is set to SMB2_TRANSFORM_PROTO_NUM, the smb2 request size validation would be improperly skipped. This could lead to a situation where a request size smaller than the required sizeof(struct smb2_query_info_req) creates a slab-out-of-bounds read risk, potentially resulting in severe security consequences.

The vulnerability lies in not allocating the proper response buffer after decrypting a transform request. Ideally, the smb3_decrypt_req() function should validate the transform request size to avoid slab-out-of-bounds in smb2_allocate_rsp_buf().

The following patch was released to address this vulnerability

ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf

If ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size
validation could be skipped. if request size is smaller than
sizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in
smb2_allocate_rsp_buf(). This patch allocates response buffer after
decrypting transform request. smb3_decrypt_req() will validate transform
request size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().

The patch essentially adds a proper size validation for incoming requests in the smb2_allocate_rsp_buf() function. After applying this patch, the smb2 request validation will not be skipped even when the ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM.

Moreover, the response buffer allocation was moved to after the transform request decryption, and the smb3_decrypt_req() function will be responsible for ensuring the request size is at an acceptable length, thus preventing the slab-out-of-bounds issue from occurring.

Recommendations

For users and administrators who might be affected by this vulnerability, we highly recommend updating your Linux kernel to the latest version, which includes the aforementioned patch, addressing the CVE-2024-26980 vulnerability. In addition, ensure that your system is up-to-date with all the latest security patches and that you continuously monitor for new security advisories.

References

- ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf - Patchwork
- CVE-2024-26980 - National Vulnerability Database
- Kernel SMB3 Server / ksmbd · GitLab

Conclusion

The CVE-2024-26980 vulnerability posed a significant security threat, but thanks to the diligent efforts of the Linux kernel development team and the patch they released, the issue can now be mitigated. To protect against this vulnerability and others like it, always keep your system updated and stay informed about the latest advisories and recommendations.

Timeline

Published on: 05/01/2024 06:15:15 UTC
Last modified on: 11/06/2024 16:35:13 UTC