Linux Kernel libceph Authentication Error Handling Vulnerability Leading to NULL Pointer Dereference

A vulnerability in the Linux kernel's libceph component has been addressed. The issue arises because errors from the authentication reply handler are not properly returned, leading to a mismatch in authentication status. While the monitor may indicate successful authentication, an error has occurred, causing higher layers to react accordingly. Meanwhile, the messaging layer continues to establish a session in the background. In secure mode, this can trigger a warning during cryptographic setup and eventually result in a NULL pointer dereference when preparing the authentication signature.

Impact

This vulnerability can cause a NULL pointer dereference, leading to a crash of the affected application or service.

Reproduction

The vulnerability can be reproduced by introducing an error in the authentication reply handling process within the libceph component of the Linux kernel. This can be done by modifying the authentication response to include an error while ensuring that the monitor still considers the authentication successful. As a result, the messaging layer will attempt to establish a session in the background, which, in secure mode, will trigger a warning during cryptographic setup and eventually cause a NULL pointer dereference when preparing the authentication signature.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the updated kernel can be found on the official Linux kernel website.