CVE-2023-0210: Flaw in Linux Kernel Allows Unauthenticated remote DOS Attacks

A security researcher has discovered that the Linux kernel is affected by a potentially serious vulnerability that can be exploited by a remote, unauthenticated attacker to launch denial-of-service (DoS) attacks.

Tracked as CVE-2023-0210, the bug affects the Linux kernel’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems. KSMBD is an open-source In-kernel CIFS/SMB3 server created by Namjae Jeon for Linux Kernel. It’s an implementation of SMB/CIFS protocol in kernel space for sharing files and IPC services over the network.

Exploiting the flaw requires sending malformed packets, respectively, to a targeted server, personal computer, tablet, or smartphone. The attack triggers “a heap overflow bug in ksmbd_decode_ntlmssp_auth_blob in which nt_len can be less than CIFS_ENCPWD_SIZE. This results in a negative blen argument for ksmbd_auth_ntlmv2, where it calls memcpy using blen on memory allocated by kmalloc(blen + CIFS_CRYPTO_KEY_SIZE). Note that CIFS_ENCPWD_SIZE is 16 and CIFS_CRYPTO_KEY_SIZE is 8. We believe this bug can only result in a remote DOS and not privilege escalation nor RCE, as the heap overflow occurs when blen is in range (-8, -1].”

The vulnerability exists due to the way versions 5.15-rc1 and later of the Linux kernel handle NTLMv2 authentication. Linux kernel developers haven’t released a patch. CVE-2023-0210 was proven to allow for remote panic in the OS immediately on the Ubuntu 20.04 HWE and 22.04 (both running on 5.15.0-56-generic).

Proof of concept code is currently available online, which somewhat increases the immediate danger to device owners. It’s recommended that users update Linux servers immediately and apply the patches for other distros as soon as they are available.