CVE-2024-53179

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free of signing key Customers have reported use-after-free in @ses->auth_key.response with SMB2.1 + sign mounts which occurs due to following race: task A task B cifs_mount() dfs_mount_share() get_session() cifs_mount_get_session() cifs_send_recv() cifs_get_smb_ses() compound_send_recv() cifs_setup_session() smb2_setup_request() kfree_sensitive() smb2_calc_signature() crypto_shash_setkey() *UAF* Fix this by ensuring that we have a valid @ses->auth_key.response by checking whether @ses->ses_status is SES_GOOD or SES_EXITING with @ses->ses_lock held. After commit 24a9799aa8ef ("smb: client: fix UAF in smb2_reconnect_server()"), we made sure to call ->logoff() only when @ses was known to be good (e.g. valid ->auth_key.response), so it's safe to access signing key when @ses->ses_status == SES_EXITING.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/0e2b654a3848bf9da3b0d54c1ccf3f1b8c635591	Patch
https://git.kernel.org/stable/c/343d7fe6df9e247671440a932b6a73af4fa86d95	Patch
https://git.kernel.org/stable/c/39619c65ab4bbb3e78c818f537687653e112764d	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

14 Jan 2025, 17:18

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/0e2b654a3848bf9da3b0d54c1ccf3f1b8c635591 -~~	() https://git.kernel.org/stable/c/0e2b654a3848bf9da3b0d54c1ccf3f1b8c635591 - Patch
References	~~() https://git.kernel.org/stable/c/343d7fe6df9e247671440a932b6a73af4fa86d95 -~~	() https://git.kernel.org/stable/c/343d7fe6df9e247671440a932b6a73af4fa86d95 - Patch
References	~~() https://git.kernel.org/stable/c/39619c65ab4bbb3e78c818f537687653e112764d -~~	() https://git.kernel.org/stable/c/39619c65ab4bbb3e78c818f537687653e112764d - Patch
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CWE		CWE-416
First Time		Linux linux Kernel Linux
CPE		cpe:2.3:o:linux:linux_kernel::::::::

09 Jan 2025, 16:16

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: se corrige el use-after-free de la clave de firma Los clientes han informado sobre el use-after-free en @ses->auth_key.response con SMB2.1 + montajes de firma que se producen debido a la siguiente ejecución: tarea A tarea B cifs_mount() dfs_mount_share() get_session() cifs_mount_get_session() cifs_send_recv() cifs_get_smb_ses() Compound_send_recv() cifs_setup_session() smb2_setup_request() kfree_sensitive() smb2_calc_signature() crypto_shash_setkey() UAF Solucione esto asegurándose de que tenemos un @ses->auth_key.response válido comprobando si @ses->ses_status es SES_GOOD o SES_EXITING con @ses->ses_lock Después de el commit 24a9799aa8ef ("smb: cliente: corregir UAF en smb2_reconnect_server()"), nos aseguramos de llamar a ->logoff() solo cuando se sabía que @ses era correcto (por ejemplo, ->auth_key.response válido), por lo que es seguro acceder a la clave de firma cuando @ses->ses_status == SES_EXITING.
References		() https://git.kernel.org/stable/c/39619c65ab4bbb3e78c818f537687653e112764d -

27 Dec 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-27 14:15

Updated : 2025-02-10 18:15

NVD link : CVE-2024-53179

Mitre link : CVE-2024-53179

CVE.ORG link : CVE-2024-53179

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

7.8 /10