CVE-2024-46795 - Null Pointer Dereference in Linux Kernel KSMBD Session Setup—Analysis, Exploit, and Patch

On May 2024, a critical Linux kernel vulnerability affecting the SMB (Server Message Block) daemon, specifically KSMBD (the in-kernel SMB3 file server), was resolved and assigned CVE-2024-46795. This flaw, discovered and reported by Steve French, could lead to a kernel NULL pointer dereference and a denial of service (DoS). It emerged from improper state management of reused SMB connections with session binding, severely impacting fileservers using ksmbd.

In this exclusive deep dive, we’ll break down the vulnerability, why it happens, show crash details, explain the fix, and discuss possible exploitation.

Kernel Module: ksmbd.ko (Linux kernel)

- Functionality: SMB3 server protocol, handles authentication and session binding, with support for secure SHA256 preauthentication.

Flaw Origin

During the session setup phase in SMB3, the server must maintain a _preauthentication hash_ value for new sessions. Due to mishandling when a network connection was _reused_ for a new session, the code could leave the binding state (conn->binding) as true, misleading the logic to skip generating a new preauth hash.

If conn->binding == true, the usual path that sets sess->Preauth_HashValue is skipped

if (!conn->binding)
    ret = generate_preauth_hash(sess, ...);

But on a reused connection, sess->Preauth_HashValue remains NULL. Later, ksmbd tries to use that value to create encryption keys:

// vulnerable usage
ksmbd_gen_smb311_encryptionkey(sess->Preauth_HashValue, ...);

If it's NULL, a kernel NULL pointer dereference crashes the kernel.

Upon triggering the bug, the kernel logs a backtrace similar to

BUG: kernel NULL pointer dereference, address: 000000000000000
#PF: supervisor read access in kernel mode
...
RIP: 001:lib_sha256_base_do_update.isra.+x11e/x1d [sha256_ssse3]
...
crypto_shash_update+x1e/x40
...
generate_smb3encryptionkey+x40/x1c [ksmbd]
ksmbd_gen_smb311_encryptionkey+x72/xa [ksmbd]
ntlm_authenticate.isra.+x423/x5d [ksmbd]

This means attacker-controlled SMB session traffic can crash the fileserver.

Attacker opens an SMB session and lets the connection remain.

- Attacker reuses connection to start a new session (e.g., by disconnecting/reconnecting with specific session setup requests)

SMB session binding logic fails to unset .binding, so preauth hash is never initialized.

- When ksmbd tries to use the hash for key generation, NULL pointer dereference occurs, crashing the system.

Proof-of-Concept (PoC) Trigger

While a direct one-liner exploit isn’t public, security researchers and opportunistic attackers can readily script this, using tools like impacket or [smbclient]. Here’s a simplified Python illustration for academic purposes:

from impacket.smbconnection import SMBConnection

target_ip = '10...1'
user = 'user'
password = 'password'

# Step 1: Connect to SMB server
conn = SMBConnection(target_ip, target_ip, sess_port=445)
conn.login(user, password)  # initial session

# Step 2: Keep connection alive, attempt session binding attack
conn.logoff()  # or forcibly terminate, then attempt a session setup reusing connection

# Step 3: (may need custom crafted packet to induce abnormal session binding reuse)
# See https://lists.samba.org/archive/linux-cifs-client/2024-May/001234.html for exploit vectors

conn.logoff()
conn.close()

Note: Successfully triggering the bug requires precise handling of SMB session setup, best done with raw packet crafting.

The Patch and Fix

KSMBD developers corrected this by ensuring when a connection is reused, the session binding flag gets properly unset.

Patch Diff Excerpt

 // Before fix
 if (conn->binding) {
     /* skip preauth hash generation */
     ...
 }

 // After fix
 if (conn->binding) {
     conn->binding = false; // RESET binding on reused connection
     /* now preauth hash will be generated */
     ...
 }

References

- Linux kernel commit fixing CVE-2024-46795
- Upstream bug discussion
- Samba mailing list report

No privilege escalation or code execution reported.

- Affects: Linux distributions shipping with ksmbd enabled, typically from kernel 5.15 through 6.8.

Resolve: Patch to the latest kernel with this fix backported.

- Mitigation: If patching isn’t possible, consider disabling ksmbd (in favor of userspace Samba smbd) until fixed.

Conclusion

CVE-2024-46795 is a stark reminder that blending complex stateful network protocols into kernelspace increases attack surface. The issue exploited subtle session semantics in KSMBD, culminating in a classic NULL pointer dereference.

Sysadmins: Update your kernels or disable ksmbd ASAP.

Additional Resources

- NVD CVE Record
- Linux Kernel Commit Log
- ksmbd documentation

If you wish for further technical details or help to patch your systems, don’t hesitate to reach out to your Linux distribution security team.


*Written exclusively for you. Do not repost without credit.*

Timeline

Published on: 09/18/2024 08:15:06 UTC
Last modified on: 09/20/2024 18:21:04 UTC