CVE-2023-52442

ksmbd: validate session id and tree id in compound request

CVSS 5.5 MEDIUMEPSS 17.4%

In short

A flaw in Linux kernel's ksmbd (SMB server) allows attackers to bypass tree ID validation in compound SMB2 requests. If a specific command is placed first in a compound request, the security check is skipped, potentially allowing unauthorized access to shared resources.

Technical detail

The vulnerability exists in ksmbd's compound request handling where smb2_get_msg() incorrectly returns the first request header instead of the current command header, causing tree ID and session ID validation to be bypassed. An attacker can craft a compound SMB2 request with SMB2_TREE_CONNECT_HE as the first command to skip tree ID validation, potentially gaining unauthorized access to SMB shares.

Summary generated and translated by AI from the official description.

In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate session id and tree id in compound request `smb2_get_msg()` in smb2_get_ksmbd_tcon() and smb2_check_user_session() will always return the first request smb2 header in a compound request. if `SMB2_TREE_CONNECT_HE` is the first command in compound request, will return 0, i.e. The tree id check is skipped. This patch use ksmbd_req_buf_next() to get current command in compound.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected products

Linux · Linux

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://git.kernel.org/stable/c/017d85c94f02090a87f4a473dbe0d6ee0da72693 https://git.kernel.org/stable/c/3df0411e132ee74a87aa13142dfd2b190275332e https://git.kernel.org/stable/c/4c2b350b2e269e3fd17bbfa42de1b42775b777ac https://git.kernel.org/stable/c/becb5191d1d5fdfca0198a2e37457bbbf4fe266f