CVE-2023-1194 - OpenCVE

An out-of-bounds (OOB) memory read flaw was found in parse_lease_state in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. When an attacker sends the CREATE command with a malformed payload to KSMBD, due to a missing check of `NameOffset` in the `parse_lease_state()` function, the `create_context` object can access invalid memory.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Linux	Linux Kernel
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.4:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.4:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.4:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.4:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.4:rc5::::::

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2023-1194
https://bugzilla.redhat.com/show_bug.cgi?id=2154176
https://nvd.nist.gov/vuln/detail/CVE-2023-1194
https://security.netapp.com/advisory/ntap-20231221-0006/
https://www.cve.org/CVERecord?id=CVE-2023-1194
https://www.spinics.net/lists/stable-commits/msg303065.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-11-03T07:41:35.083Z

Updated: 2024-08-02T05:40:58.408Z

Reserved: 2023-03-06T08:47:19.083Z

Link: CVE-2023-1194

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-11-03T08:15:07.490

Modified: 2024-08-21T18:20:30.137

Link: CVE-2023-1194

Redhat

Severity : Moderate

Publid Date: 2022-10-02T00:00:00Z

Links: CVE-2023-1194 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-1194", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-03-06T08:47:19.083Z", "datePublished": "2023-11-03T07:41:35.083Z", "dateUpdated": "2024-08-02T05:40:58.408Z"}, "containers": {"cna": {"title": "Use-after-free in parse_lease_state()", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "An out-of-bounds (OOB) memory read flaw was found in parse_lease_state in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. When an attacker sends the CREATE command with a malformed payload to KSMBD, due to a missing check of `NameOffset` in the `parse_lease_state()` function, the `create_context` object can access invalid memory."}], "affected": [{"product": "kernel", "vendor": "n/a", "defaultStatus": "affected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kernel", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kernel", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kernel-rt", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kernel", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kernel-rt", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kernel", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kernel-rt", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"product": "Fedora", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "kernel", "defaultStatus": "affected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-1194", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2154176", "name": "RHBZ#2154176", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://www.spinics.net/lists/stable-commits/msg303065.html"}, {"url": "https://security.netapp.com/advisory/ntap-20231221-0006/"}], "datePublic": "2022-10-02T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "Use After Free", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-416: Use After Free", "timeline": [{"lang": "en", "time": "2022-12-16T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2022-10-02T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Pumpkin (@u1f383) (DEVCORE Internship Program, and NYCU Software Security LAB) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-11-03T07:41:35.083Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:40:58.408Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-1194", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2154176", "name": "RHBZ#2154176", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://www.spinics.net/lists/stable-commits/msg303065.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231221-0006/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6943BD04-722B-4B0F-810D-A5086EA877BB", "versionEndExcluding": "5.15.145", "versionStartIncluding": "5.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "827DE634-7B30-489B-8DA2-F753BE881D9B", "versionEndExcluding": "6.1.34", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F3A71BC-4CD9-4F21-A84B-E615C990B4ED", "versionEndExcluding": "6.3.8", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "38BC6744-7D25-4C02-9966-B224CD071D30", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc2:*:*:*:*:*:*", "matchCriteriaId": "76061B41-CAE9-4467-BEDE-0FFC7956F2A1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc3:*:*:*:*:*:*", "matchCriteriaId": "A717BA5B-D535-46A0-A329-A25FE5CEC588", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc4:*:*:*:*:*:*", "matchCriteriaId": "89CC80C6-F1EE-4AC7-BD21-DB3217BADE87", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc5:*:*:*:*:*:*", "matchCriteriaId": "41EACEA1-FB69-4AF2-BC52-D39489858D42", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-bounds (OOB) memory read flaw was found in parse_lease_state in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. When an attacker sends the CREATE command with a malformed payload to KSMBD, due to a missing check of `NameOffset` in the `parse_lease_state()` function, the `create_context` object can access invalid memory."}, {"lang": "es", "value": "Se encontr\u00f3 una falla de lectura de memoria Out-Of-Bounds (OOB) en parse_lease_state en la implementaci\u00f3n KSMBD del servidor samba en el kernel y CIFS en el kernel de Linux. Cuando un atacante env\u00eda el comando CREATE con un payload mal formada a KSMBD, debido a una verificaci\u00f3n faltante de `NameOffset` en la funci\u00f3n `parse_lease_state()`, el objeto `create_context` puede acceder a memoria no v\u00e1lida."}], "id": "CVE-2023-1194", "lastModified": "2024-08-21T18:20:30.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-11-03T08:15:07.490", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-1194"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2154176"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20231221-0006/"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Patch"], "url": "https://www.spinics.net/lists/stable-commits/msg303065.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Pumpkin (@u1f383) (DEVCORE Internship Program, and NYCU Software Security LAB) for reporting this issue.", "bugzilla": {"description": "kernel: use-after-free in parse_lease_state()", "id": "2154176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2154176"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-416->CWE-125", "details": ["An out-of-bounds (OOB) memory read flaw was found in parse_lease_state in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. When an attacker sends the CREATE command with a malformed payload to KSMBD, due to a missing check of `NameOffset` in the `parse_lease_state()` function, the `create_context` object can access invalid memory.", "An out-of-bounds (OOB) memory read flaw was found in parse_lease_state in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. When an attacker sends the CREATE command with a malformed payload to KSMBD, due to a missing check of `NameOffset` in the `parse_lease_state()` function, the `create_context` object can access invalid memory."], "name": "CVE-2023-1194", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-10-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-1194\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-1194\nhttps://www.spinics.net/lists/stable-commits/msg303065.html"], "statement": "No shipped kernel version was seen affected by this problem. These files are not built in our source code.", "threat_severity": "Moderate", "upstream_fix": "kernel 6.4"}