1. InfoconDB
  2. REcon
  3. REcon 2023
  4. NVMe: New Vulnerabilities Made easy

NVMe: New Vulnerabilities Made easy

Presented at REcon 2023, June 11, 2023, 2:30 p.m. (30 minutes)

NVMe technology is part of every Could Service Provider, and nowadays, Cloud Services are perhaps the most important cornerstone of modern computing. For this technology to work effectively, there’s a need for a reliable communication standard between the different services and their storage, and that’s exactly where NVMe comes to play. In this session, we’ll see how I discovered a pre-auth remote vulnerability in the NVMe implementation of the Linux kernel in a matter of minutes and how you can do it as well. The ease with which such vulnerability can be detected and exploited, combined with the fact that it’s done in the pre-auth stage and requires no more than a slight misconfiguration, makes this kind of attack vector very dangerous. Detailed outline of the talk (30minutes): 1. whoami + agenda (2 minutes) 2. Open-Source Vulnerability Research Methodology (3 minutes) 1. Choosing a target 2. Our approach to Open-Source research 3. Static Code Analysis Overview (3 minutes) 1. SCA 101 1. What is SCA 2. How does it work 2. Examples of open-sourced tools and how to choose wisely 4. SCA vs Kernel (4 minutes) 1. Introduction to the research - Motivation, Attack surface, Impact, and methodology 1. Previous Open-Source vulnerabilities I discovered - CVE-2022-31615, CVE-2022-34682, CVE-2022-4842, CVE-2022-29021, CVE-2022-29022, CVE-2022-29023 2. What type of bugs do we expect to find with SCA - Memory corruption 3. Evaluating SCA against my previous findings 4. Hunting down for vulnerabilities with SCA 5. NVMe Intro (4 minutes) 1. Why and how I’ve chosen this target 2. What is NVMe 1. NVMe-oF 2. NVMe-TCP 3. Where can NVMe be found in real life (from cloud providers to on-premise storage machines) 6. NVMe Remote DoS in the Linux Kernel (3 minutes) 1. Real Vulnerability source-code 2. Exploiting the vulnerability 7. Setup of the NVMe-TCP environment (2 minutes) 1. Scraping for configuration information 2. Setup by trial and error 8. Live Demo I: Remote Exploitation (1 minute) 9. From Remote DoS to Pre-Auth Remote DoS (2 minutes) 1. How I overcame the Authentication feature 10. Live Demo II: Pre-Auth Bypass Exploitation (1 minute) 11. Wrap-up (2 minutes) 1. “Tips” for tackling a big Open-Source project 2. Old-known methods are still relevant for new research 3. Impact of the research (Accepted PR, CVE, sharing with the community) 12. Q&A (3 minutes)

Presenters:

  • Tal Lossos
    Tal Lossos is a Security Researcher at CyberArk Labs with years of experience in kernel module development with a deep interest in OS internals and currently focuses on bug hunting in the Linux kernel. In his recent works, Tal discovered multiple vulnerabilities in drivers causing elevation of privilege.

Links: