Login Sign Up

CVE-2023-38428

9.1 CRITICAL

📋 TL;DR

This vulnerability in the Linux kernel's ksmbd SMB server allows attackers to read memory beyond intended boundaries by exploiting improper validation of UserName values. Systems running Linux kernels before version 6.3.4 with ksmbd enabled are affected, potentially exposing sensitive information or causing denial of service.

💻 Affected Systems

Products:
  • Linux kernel
Versions: All versions before 6.3.4
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if ksmbd (kernel SMB server) is enabled and configured. Many distributions don't enable ksmbd by default.

📦 What is this software?

H300s by Netapp

View all CVEs affecting H300s →

H410s by Netapp

View all CVEs affecting H410s →

H500s by Netapp

View all CVEs affecting H500s →

H700s by Netapp

View all CVEs affecting H700s →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Solidfire \& Hci Management Node by Netapp

View all CVEs affecting Solidfire \& Hci Management Node →

Solidfire \& Hci Storage Node by Netapp

View all CVEs affecting Solidfire \& Hci Storage Node →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of kernel memory contents, potentially exposing sensitive data like credentials, cryptographic keys, or other system information that could lead to further compromise.

🟠

Likely Case

Denial of service through kernel panic or system crash, with possible information leakage of adjacent memory regions.

🟢

If Mitigated

Limited impact if ksmbd is disabled or proper network segmentation isolates vulnerable systems.

🌐 Internet-Facing: MEDIUM - Requires SMB access to ksmbd service, which is typically not internet-facing but could be exposed in misconfigured environments.
🏢 Internal Only: HIGH - Internal attackers with network access to ksmbd services can exploit this vulnerability to read kernel memory.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires SMB protocol access to ksmbd service. The vulnerability is an out-of-bounds read, not a write, limiting immediate code execution potential.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 6.3.4 and later

Vendor Advisory: https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.3.4

Restart Required: Yes

Instructions:

1. Update Linux kernel to version 6.3.4 or later. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable ksmbd module

linux

Prevent loading of vulnerable ksmbd kernel module

echo 'blacklist ksmbd' >> /etc/modprobe.d/blacklist-ksmbd.conf
rmmod ksmbd

Restrict SMB network access

linux

Use firewall rules to limit access to ksmbd service

iptables -A INPUT -p tcp --dport 445 -j DROP
iptables -A INPUT -p tcp --dport 139 -j DROP

🧯 If You Can't Patch

  • Disable ksmbd service if not required for business operations
  • Implement strict network segmentation to isolate systems with ksmbd enabled

🔍 How to Verify

Check if Vulnerable:

Check kernel version with 'uname -r' and verify if ksmbd module is loaded with 'lsmod | grep ksmbd'

Check Version:

uname -r

Verify Fix Applied:

Confirm kernel version is 6.3.4 or newer with 'uname -r' and verify ksmbd module version if loaded

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • ksmbd service crash logs
  • unusual SMB protocol errors in system logs

Network Indicators:

  • Unusual SMB traffic patterns to ksmbd ports
  • Multiple failed SMB connections with malformed packets

SIEM Query:

source="kernel" AND ("panic" OR "Oops") OR source="ksmbd" AND ("error" OR "crash")

📊 Metadata

CVE ID: CVE-2023-38428
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-125
Published: July 18, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38428, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)