Rapid7 Vulnerability & Exploit Database

SUSE: CVE-2024-35870: SUSE Linux Security Advisory

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

SUSE: CVE-2024-35870: SUSE Linux Security Advisory

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
05/19/2024
Created
06/14/2024
Added
06/13/2024
Modified
07/19/2024

Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in smb2_reconnect_server() The UAF bug is due to smb2_reconnect_server() accessing a session that is already being teared down by another thread that is executing __cifs_put_smb_ses(). This can happen when (a) the client has connection to the server but no session or (b) another thread ends up setting @ses->ses_status again to something different than SES_EXITING. To fix this, we need to make sure to unconditionally set @ses->ses_status to SES_EXITING and prevent any other threads from setting a new status while we're still tearing it down. The following can be reproduced by adding some delay to right after the ipc is freed in __cifs_put_smb_ses() - which will give smb2_reconnect_server() worker a chance to run and then accessing @ses->ipc: kinit ... mount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10 [disconnect srv] ls /mnt/1 &>/dev/null sleep 30 kdestroy [reconnect srv] sleep 10 umount /mnt/1 ... CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 Workqueue: cifsiod smb2_reconnect_server [cifs] RIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0 Code: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad de 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75 7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8 RSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83 RAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b RDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800 RBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000 R13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000 FS: 0000000000000000(0000) GS:ffff888157c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? die_addr+0x36/0x90 ? exc_general_protection+0x1c1/0x3f0 ? asm_exc_general_protection+0x26/0x30 ? __list_del_entry_valid_or_report+0x33/0xf0 __cifs_put_smb_ses+0x1ae/0x500 [cifs] smb2_reconnect_server+0x4ed/0x710 [cifs] process_one_work+0x205/0x6b0 worker_thread+0x191/0x360 ? __pfx_worker_thread+0x10/0x10 kthread+0xe2/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>

Solution(s)

  • suse-upgrade-cluster-md-kmp-64kb
  • suse-upgrade-cluster-md-kmp-azure
  • suse-upgrade-cluster-md-kmp-default
  • suse-upgrade-cluster-md-kmp-rt
  • suse-upgrade-dlm-kmp-64kb
  • suse-upgrade-dlm-kmp-azure
  • suse-upgrade-dlm-kmp-default
  • suse-upgrade-dlm-kmp-rt
  • suse-upgrade-dtb-allwinner
  • suse-upgrade-dtb-altera
  • suse-upgrade-dtb-amazon
  • suse-upgrade-dtb-amd
  • suse-upgrade-dtb-amlogic
  • suse-upgrade-dtb-apm
  • suse-upgrade-dtb-apple
  • suse-upgrade-dtb-arm
  • suse-upgrade-dtb-broadcom
  • suse-upgrade-dtb-cavium
  • suse-upgrade-dtb-exynos
  • suse-upgrade-dtb-freescale
  • suse-upgrade-dtb-hisilicon
  • suse-upgrade-dtb-lg
  • suse-upgrade-dtb-marvell
  • suse-upgrade-dtb-mediatek
  • suse-upgrade-dtb-nvidia
  • suse-upgrade-dtb-qcom
  • suse-upgrade-dtb-renesas
  • suse-upgrade-dtb-rockchip
  • suse-upgrade-dtb-socionext
  • suse-upgrade-dtb-sprd
  • suse-upgrade-dtb-xilinx
  • suse-upgrade-gfs2-kmp-64kb
  • suse-upgrade-gfs2-kmp-azure
  • suse-upgrade-gfs2-kmp-default
  • suse-upgrade-gfs2-kmp-rt
  • suse-upgrade-kernel-64kb
  • suse-upgrade-kernel-64kb-devel
  • suse-upgrade-kernel-64kb-extra
  • suse-upgrade-kernel-64kb-livepatch-devel
  • suse-upgrade-kernel-64kb-optional
  • suse-upgrade-kernel-azure
  • suse-upgrade-kernel-azure-base
  • suse-upgrade-kernel-azure-devel
  • suse-upgrade-kernel-azure-extra
  • suse-upgrade-kernel-azure-livepatch-devel
  • suse-upgrade-kernel-azure-optional
  • suse-upgrade-kernel-azure-vdso
  • suse-upgrade-kernel-debug
  • suse-upgrade-kernel-debug-devel
  • suse-upgrade-kernel-debug-livepatch-devel
  • suse-upgrade-kernel-debug-vdso
  • suse-upgrade-kernel-default
  • suse-upgrade-kernel-default-base
  • suse-upgrade-kernel-default-base-rebuild
  • suse-upgrade-kernel-default-devel
  • suse-upgrade-kernel-default-extra
  • suse-upgrade-kernel-default-livepatch
  • suse-upgrade-kernel-default-livepatch-devel
  • suse-upgrade-kernel-default-man
  • suse-upgrade-kernel-default-optional
  • suse-upgrade-kernel-default-vdso
  • suse-upgrade-kernel-devel
  • suse-upgrade-kernel-devel-azure
  • suse-upgrade-kernel-devel-rt
  • suse-upgrade-kernel-docs
  • suse-upgrade-kernel-docs-html
  • suse-upgrade-kernel-kvmsmall
  • suse-upgrade-kernel-kvmsmall-devel
  • suse-upgrade-kernel-kvmsmall-livepatch-devel
  • suse-upgrade-kernel-kvmsmall-vdso
  • suse-upgrade-kernel-macros
  • suse-upgrade-kernel-obs-build
  • suse-upgrade-kernel-obs-qa
  • suse-upgrade-kernel-rt
  • suse-upgrade-kernel-rt-devel
  • suse-upgrade-kernel-rt-extra
  • suse-upgrade-kernel-rt-livepatch
  • suse-upgrade-kernel-rt-livepatch-devel
  • suse-upgrade-kernel-rt-optional
  • suse-upgrade-kernel-rt-vdso
  • suse-upgrade-kernel-rt_debug
  • suse-upgrade-kernel-rt_debug-devel
  • suse-upgrade-kernel-rt_debug-livepatch-devel
  • suse-upgrade-kernel-rt_debug-vdso
  • suse-upgrade-kernel-source
  • suse-upgrade-kernel-source-azure
  • suse-upgrade-kernel-source-rt
  • suse-upgrade-kernel-source-vanilla
  • suse-upgrade-kernel-syms
  • suse-upgrade-kernel-syms-azure
  • suse-upgrade-kernel-syms-rt
  • suse-upgrade-kernel-zfcpdump
  • suse-upgrade-kselftests-kmp-64kb
  • suse-upgrade-kselftests-kmp-azure
  • suse-upgrade-kselftests-kmp-default
  • suse-upgrade-kselftests-kmp-rt
  • suse-upgrade-ocfs2-kmp-64kb
  • suse-upgrade-ocfs2-kmp-azure
  • suse-upgrade-ocfs2-kmp-default
  • suse-upgrade-ocfs2-kmp-rt
  • suse-upgrade-reiserfs-kmp-64kb
  • suse-upgrade-reiserfs-kmp-azure
  • suse-upgrade-reiserfs-kmp-default
  • suse-upgrade-reiserfs-kmp-rt

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;