Login Sign Up

CVE-2023-32252

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in the Linux kernel's ksmbd SMB server allows attackers to cause a denial-of-service by sending specially crafted SMB2_LOGOFF commands. The flaw exists due to improper pointer validation before access. Systems running affected Linux kernel versions with ksmbd enabled are vulnerable.

💻 Affected Systems

Products:
  • Linux kernel ksmbd module
Versions: Linux kernel versions with ksmbd support (typically 5.15+ through affected versions)
Operating Systems: Linux distributions with ksmbd enabled
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if ksmbd is enabled and running; not all Linux distributions enable ksmbd by default.

📦 What is this software?

H300s Firmware by Netapp

View all CVEs affecting H300s Firmware →

H410c Firmware by Netapp

View all CVEs affecting H410c Firmware →

H410s Firmware by Netapp

View all CVEs affecting H410s Firmware →

H500s Firmware by Netapp

View all CVEs affecting H500s Firmware →

H700s Firmware by Netapp

View all CVEs affecting H700s Firmware →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash or kernel panic requiring reboot, potentially disrupting all services on the affected system.

🟠

Likely Case

Service disruption of SMB file sharing services and potential system instability requiring manual intervention.

🟢

If Mitigated

Minimal impact if ksmbd is disabled or systems are patched; isolated to SMB service disruption if properly segmented.

🌐 Internet-Facing: MEDIUM - Systems with ksmbd exposed to untrusted networks could be targeted, but requires SMB access.
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this to disrupt services.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires SMB access; proof-of-concept code is publicly available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 6.3.13, 6.4.4, and later stable versions; backported to various distribution kernels

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2023-32252

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify ksmbd is running patched version.

🔧 Temporary Workarounds

Disable ksmbd module

linux

Prevent exploitation by disabling the vulnerable ksmbd module

sudo modprobe -r ksmbd
echo 'blacklist ksmbd' | sudo tee /etc/modprobe.d/ksmbd-blacklist.conf

Restrict SMB access

linux

Limit network access to ksmbd service using firewall rules

sudo iptables -A INPUT -p tcp --dport 445 -j DROP
sudo iptables -A INPUT -p tcp --dport 139 -j DROP

🧯 If You Can't Patch

  • Disable ksmbd service if not required for operations
  • Implement network segmentation to isolate SMB services from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check if ksmbd module is loaded: lsmod | grep ksmbd && uname -r to check kernel version against affected ranges

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is patched: uname -r and check against vendor advisories; confirm ksmbd module loads without issues

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • ksmbd service crashes
  • SMB connection failures

Network Indicators:

  • Multiple SMB2_LOGOFF requests from single source
  • Unusual SMB traffic patterns

SIEM Query:

source="kernel" AND "panic" OR source="ksmbd" AND "segfault" OR "SMB2_LOGOFF" AND frequency>10

📊 Metadata

CVE ID: CVE-2023-32252
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-476
Published: July 24, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-32252, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)