CVE-2023-53817

Vulnerability

Description

In the Linux kernel, the function mpi_cmp_ui() in the MPI (Multi-Precision Integer) library contains a null pointer dereference vulnerability. The bug occurs when a zeroed MPI value is passed to the function, because the code does not properly handle the case where the internal limb pointer u->d is NULL. This can be triggered during NVMeTCP Authentication when a controller specifies the 8192-bit Diffie Hellman group and provides a correctly sized but zeroed Diffie Hellman value. The function dh_is_pubkey_valid() passes the value 1 as the second parameter to mpi_cmp_ui(), which fails to detect the zeroed input and leads to a dereference of the NULL pointer u->d [1][2].

Exploitation

An attacker with the ability to act as an NVMe over TCP controller can exploit this vulnerability by sending a crafted authentication request that includes a zeroed Diffie Hellman public value. No authentication is required to trigger the vulnerability, as it occurs during the initial authentication handshake. The attack does not require any special privileges beyond network access to the target system running the vulnerable kernel [1][3].

Impact

Successful exploitation causes a kernel oops (a type of crash), leading to a denial of service (DoS) condition on the affected system. The crash can disrupt all services running on the machine and may require a reboot to restore functionality. There is no evidence of code execution or privilege escalation from this vulnerability [1][4].

Mitigation

The vulnerability has been patched in the Linux kernel versions. The fix ensures that mpi_cmp_ui() properly checks for a zeroed MPI value before dereferencing the limb pointer. Users should apply the latest stable kernel updates from their distribution to remediate this issue [1][2][3][4].