Linux Nucleus NVME-OF/TCP Driver Vulnerability Found

Linux Subsystem Vulnerability Exposes Potential Remote Code Execution

In the Linux subsystem nvmet-tcp (Nvme-of/tcp), a vulnerability has been revealed that allows contact with NVMe drives over the network (NVM Express Over Fabrics) using the TCP protocol. The vulnerability, identified as CVE-2023-5178, has the potential to execute code at the nucleus level remotely or raise privileges in the system with local access. Patches are available to correct the issue, as detailed in this report.

The vulnerability affects the first version of the NVME-OF/TCP driver, which was introduced in kernel 5.0 (the Linux 5.15 core is specifically mentioned in the vulnerability report). Systems utilizing NVME-OF/TCP on the server are at risk.

The vulnerability stems from a logical error in the function nvmet_tcp_free_crypto. This error leads to the function being called twice, freeing some signs twice, and executing the freed addresses. Consequently, there is a risk of accessing memory that has already been released (use-after-free) and double-free memory (Double-free) when a specially designed client interacts with the NVME-OF/TCP server, whether locally or over the global network.

/Reports, release notes, official announcements.