cbcvebase.
CVE-2023-44466
published 2023-09-29

CVE-2023-44466: An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and…

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
54.58%
98.9th percentile
An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.

Affected

11 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 6.1.52-1 (bookworm)linux 6.1.52-1 (bookworm)
linuxlinux_kernel>= 0 < 6.1.52-16.1.52-1
linuxlinux_kernel>= 0 < 6.4.11-16.4.11-1
linuxlinux_kernel>= 0 < 6.4.11-16.4.11-1
linuxlinux_kernel>= 0 < 5.15.0-86.965.15.0-86.96
linuxlinux_kernel>= 5.11 < 5.15.1215.15.121
linuxlinux_kernel>= 5.16 < 6.1.406.1.40
linuxlinux_kernel>= 6.2 < 6.4.56.4.5
msrccbl2_kernel_5.15.135.1-2_on_cbl_mariner_2.0
paloaltopan-os
ubuntulinux-intel-iotg-5.15

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit vector is a crafted TCP packet carrying a HELLO or AUTH frame with an untrusted length field parsed by ceph_decode_32 in net/ceph/messenger_v2.c, triggering an integer signedness error and buffer overflow leading to RCE
  • Vulnerable code path is net/ceph/messenger_v2.c in the Linux kernel; monitor traffic on Ceph messenger v2 protocol (default TCP port 3300) for malformed HELLO or AUTH frames with anomalous length values
  • Patch commit a282a2f10539dce2aa619e71e1817570d557fc97 in the Linux kernel tree can be used to diff and build detection logic around the vulnerable length-handling code in messenger_v2.c
  • Security advisory GHSA-jg27-jx6w-xwph (Google Security Research) contains additional technical details that may aid in building signatures for this vulnerability
  • ·Only Linux kernels before 6.4.5 are vulnerable; kernels >= 6.4.5 (or >= 6.5 upstream) contain the fix. Red Hat Enterprise Linux 6 and 7 are confirmed NOT affected.
  • ·Only systems using the Ceph messenger v2 protocol (messenger_v2.c) are affected; systems not running Ceph kernel client or not using msgr2 are not exposed to this attack surface.
  • ·Red Hat Enterprise Linux 8 and 9 (including kernel-rt variants) are affected; RHEL 6 and 7 kernel packages are confirmed not affected.
  • ·Debian bookworm fix is in kernel 6.1.52-1; forky/sid/trixie fix is in 6.4.11-1. Systems on older Debian kernel packages remain vulnerable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu7.0HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.