CVE-2023-52480 - Vulnerability Details - OpenCVE

ReportizFlow

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix race condition between session lookup and expire Thread A + Thread B ksmbd_session_lookup | smb2_sess_setup sess = xa_load | | | xa_erase(&conn->sessions, sess->id); | | ksmbd_session_destroy(sess) --> kfree(sess) | // UAF! | sess->last_active = jiffies | + This patch add rwsem to fix race condition between ksmbd_session_lookup and ksmbd_expire_session.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/18ced78b0ebccc2d16f426143dc56ab3aad666be
https://git.kernel.org/stable/c/53ff5cf89142b978b1a5ca8dc4d4425e6a09745f
https://git.kernel.org/stable/c/a2ca5fd3dbcc665e1169044fa0c9e3eba779202b
https://git.kernel.org/stable/c/c77fd3e25a51ac92b0f1b347a96eff6a0b4f066f
https://lore.kernel.org/linux-cve-announce/2024022922-CVE-2023-52480-ff7f@gregkh/T/#u
https://nvd.nist.gov/vuln/detail/CVE-2023-52480
https://www.cve.org/CVERecord?id=CVE-2023-52480

History

Mon, 04 Nov 2024 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 12 Sep 2024 08:30:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-02-29T05:43:12.019Z

Updated: 2024-12-19T08:20:37.159Z

Reserved: 2024-02-20T12:30:33.300Z

Link: CVE-2023-52480

Vulnrichment

Updated: 2024-08-02T23:03:19.830Z

NVD

Status : Awaiting Analysis

Published: 2024-02-29T06:15:46.017

Modified: 2024-11-21T08:39:52.090

Link: CVE-2023-52480

Redhat

Severity : Moderate

Publid Date: 2024-02-29T00:00:00Z

Links: CVE-2023-52480 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-52480", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-20T12:30:33.300Z", "datePublished": "2024-02-29T05:43:12.019Z", "dateUpdated": "2024-12-19T08:20:37.159Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:20:37.159Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix race condition between session lookup and expire\n\n Thread A + Thread B\n ksmbd_session_lookup | smb2_sess_setup\n sess = xa_load |\n |\n | xa_erase(&conn->sessions, sess->id);\n |\n | ksmbd_session_destroy(sess) --> kfree(sess)\n |\n // UAF! |\n sess->last_active = jiffies |\n +\n\nThis patch add rwsem to fix race condition between ksmbd_session_lookup\nand ksmbd_expire_session."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/connection.c", "fs/smb/server/connection.h", "fs/smb/server/mgmt/user_session.c"], "versions": [{"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "c77fd3e25a51ac92b0f1b347a96eff6a0b4f066f", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "a2ca5fd3dbcc665e1169044fa0c9e3eba779202b", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "18ced78b0ebccc2d16f426143dc56ab3aad666be", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "53ff5cf89142b978b1a5ca8dc4d4425e6a09745f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/connection.c", "fs/smb/server/connection.h", "fs/smb/server/mgmt/user_session.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.145", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.57", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.5.7", "lessThanOrEqual": "6.5.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/c77fd3e25a51ac92b0f1b347a96eff6a0b4f066f"}, {"url": "https://git.kernel.org/stable/c/a2ca5fd3dbcc665e1169044fa0c9e3eba779202b"}, {"url": "https://git.kernel.org/stable/c/18ced78b0ebccc2d16f426143dc56ab3aad666be"}, {"url": "https://git.kernel.org/stable/c/53ff5cf89142b978b1a5ca8dc4d4425e6a09745f"}], "title": "ksmbd: fix race condition between session lookup and expire", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:03:19.830Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/c77fd3e25a51ac92b0f1b347a96eff6a0b4f066f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a2ca5fd3dbcc665e1169044fa0c9e3eba779202b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/18ced78b0ebccc2d16f426143dc56ab3aad666be", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/53ff5cf89142b978b1a5ca8dc4d4425e6a09745f", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52480", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:57:23.856280Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:52.199Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/c77fd3e25a51ac92b0f1b347a96eff6a0b4f066f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a2ca5fd3dbcc665e1169044fa0c9e3eba779202b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/18ced78b0ebccc2d16f426143dc56ab3aad666be", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/53ff5cf89142b978b1a5ca8dc4d4425e6a09745f", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:03:19.830Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52480", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:57:23.856280Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:19.316Z"}}], "cna": {"title": "ksmbd: fix race condition between session lookup and expire", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "0626e6641f6b", "lessThan": "c77fd3e25a51", "versionType": "git"}, {"status": "affected", "version": "0626e6641f6b", "lessThan": "a2ca5fd3dbcc", "versionType": "git"}, {"status": "affected", "version": "0626e6641f6b", "lessThan": "18ced78b0ebc", "versionType": "git"}, {"status": "affected", "version": "0626e6641f6b", "lessThan": "53ff5cf89142", "versionType": "git"}], "programFiles": ["fs/smb/server/connection.c", "fs/smb/server/connection.h", "fs/smb/server/mgmt/user_session.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.15"}, {"status": "unaffected", "version": "0", "lessThan": "5.15", "versionType": "semver"}, {"status": "unaffected", "version": "5.15.145", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.57", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.5.7", "versionType": "semver", "lessThanOrEqual": "6.5.*"}, {"status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/smb/server/connection.c", "fs/smb/server/connection.h", "fs/smb/server/mgmt/user_session.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/c77fd3e25a51ac92b0f1b347a96eff6a0b4f066f"}, {"url": "https://git.kernel.org/stable/c/a2ca5fd3dbcc665e1169044fa0c9e3eba779202b"}, {"url": "https://git.kernel.org/stable/c/18ced78b0ebccc2d16f426143dc56ab3aad666be"}, {"url": "https://git.kernel.org/stable/c/53ff5cf89142b978b1a5ca8dc4d4425e6a09745f"}], "x_generator": {"engine": "bippy-8e903de6a542"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix race condition between session lookup and expire\n\n Thread A + Thread B\n ksmbd_session_lookup | smb2_sess_setup\n sess = xa_load |\n |\n | xa_erase(&conn->sessions, sess->id);\n |\n | ksmbd_session_destroy(sess) --> kfree(sess)\n |\n // UAF! |\n sess->last_active = jiffies |\n +\n\nThis patch add rwsem to fix race condition between ksmbd_session_lookup\nand ksmbd_expire_session."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-09T14:21:02.310Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52480", "state": "PUBLISHED", "dateUpdated": "2024-12-09T14:21:02.310Z", "dateReserved": "2024-02-20T12:30:33.300Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-02-29T05:43:12.019Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix race condition between session lookup and expire\n\n Thread A + Thread B\n ksmbd_session_lookup | smb2_sess_setup\n sess = xa_load |\n |\n | xa_erase(&conn->sessions, sess->id);\n |\n | ksmbd_session_destroy(sess) --> kfree(sess)\n |\n // UAF! |\n sess->last_active = jiffies |\n +\n\nThis patch add rwsem to fix race condition between ksmbd_session_lookup\nand ksmbd_expire_session."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ksmbd: corrige la condici\u00f3n de ejecuci\u00f3n entre la b\u00fasqueda de sesi\u00f3n y la caducidad del subproceso A + subproceso B ksmbd_session_lookup | smb2_sess_setup sess = xa_load | | | xa_erase(&conn->sesiones, sesi\u00f3n->id); | | ksmbd_session_destroy(sess) --> kfree(sess) | // \u00a1UAF! | sess->last_active = jiffies | + Este parche agrega rwsem para corregir la condici\u00f3n de ejecuci\u00f3n entre ksmbd_session_lookup y ksmbd_expire_session."}], "id": "CVE-2023-52480", "lastModified": "2024-11-21T08:39:52.090", "metrics": {}, "published": "2024-02-29T06:15:46.017", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/18ced78b0ebccc2d16f426143dc56ab3aad666be"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/53ff5cf89142b978b1a5ca8dc4d4425e6a09745f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a2ca5fd3dbcc665e1169044fa0c9e3eba779202b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c77fd3e25a51ac92b0f1b347a96eff6a0b4f066f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/18ced78b0ebccc2d16f426143dc56ab3aad666be"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/53ff5cf89142b978b1a5ca8dc4d4425e6a09745f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/a2ca5fd3dbcc665e1169044fa0c9e3eba779202b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/c77fd3e25a51ac92b0f1b347a96eff6a0b4f066f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: ksmbd: fix race condition between session lookup and expire", "id": "2267032", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2267032"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-362", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nksmbd: fix race condition between session lookup and expire\nThread A + Thread B\nksmbd_session_lookup | smb2_sess_setup\nsess = xa_load |\n|\n| xa_erase(&conn->sessions, sess->id);\n|\n| ksmbd_session_destroy(sess) --> kfree(sess)\n|\n// UAF! |\nsess->last_active = jiffies |\n+\nThis patch add rwsem to fix race condition between ksmbd_session_lookup\nand ksmbd_expire_session.", "A flaw was found in the ksmbd module in the Linux kernel. A race condition between session lookup and expire can cause a use-after-free, resulting in a denial of service."], "name": "CVE-2023-52480", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-02-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52480\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52480\nhttps://lore.kernel.org/linux-cve-announce/2024022922-CVE-2023-52480-ff7f@gregkh/T/#u"], "statement": "The ksmbd module is not built in the kernel shipped in Red Hat Enterprise Linux, so it is not affected by this vulnerability.", "threat_severity": "Moderate", "upstream_fix": "kernel 5.15.145, kernel 6.1.57, kernel 6.5.7, kernel 6.6"}