CVE-2024-53179

Updated: 2025-02-10 21:53:07.593122

Description:

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free of signing key Customers have reported use-after-free in @ses->auth_key.response with SMB2.1 + sign mounts which occurs due to following race: task A task B cifs_mount() dfs_mount_share() get_session() cifs_mount_get_session() cifs_send_recv() cifs_get_smb_ses() compound_send_recv() cifs_setup_session() smb2_setup_request() kfree_sensitive() smb2_calc_signature() crypto_shash_setkey() *UAF* Fix this by ensuring that we have a valid @ses->auth_key.response by checking whether @ses->ses_status is SES_GOOD or SES_EXITING with @ses->ses_lock held. After commit 24a9799aa8ef ("smb: client: fix UAF in smb2_reconnect_server()"), we made sure to call ->logoff() only when @ses was known to be good (e.g. valid ->auth_key.response), so it's safe to access signing key when @ses->ses_status == SES_EXITING.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x HIGH 7.8

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement
AlmaLinux 9.2 ESU kernel 5.14.0 7.8 HIGH Released CLSA-2025:1743193221 2025-02-05 02:18:12
CentOS 6 ELS kernel 2.6.32 7.8 HIGH Not Vulnerable 2025-02-24 06:43:35
CentOS 7 ELS kernel 3.10.0 7.8 HIGH Not Vulnerable 2025-02-24 06:43:32
CentOS 8.4 ELS kernel 4.18.0 7.8 HIGH Released CLSA-2025:1742471200 2025-03-21 03:33:56
CentOS 8.5 ELS kernel 4.18.0 7.8 HIGH Released CLSA-2025:1742469561 2025-03-21 03:33:56
CentOS Stream 8 ELS kernel 4.18.0 7.8 HIGH Released CLSA-2025:1747688581 2025-05-21 01:45:58
CloudLinux 6 ELS kernel 2.6.32 7.8 HIGH Not Vulnerable 2025-02-24 06:43:35
CloudLinux 7 ELS kernel 3.10.0 7.8 HIGH Ignored 2025-02-26 07:14:11
Oracle Linux 6 ELS kernel 2.6.32 7.8 HIGH Not Vulnerable 2025-02-24 06:43:32
Oracle Linux 7 ELS kernel 3.10.0 7.8 HIGH Not Vulnerable 2025-03-25 03:29:17
Total: 14