CVE-2022-21546 is a vulnerability identified in the Linux kernel's SCSI target subsystem, specifically related to the handling of the WRITE_SAME command when used with the No Data Buffer (NDOB) bit set. The WRITE_SAME command is used in SCSI to write the same data to multiple logical blocks efficiently. In newer versions of the SCSI Block Commands (SBC) specification, the NDOB bit indicates that no data buffer is provided with the WRITE_SAME command. However, the Linux kernel's target_core_iblock and target_core_file modules did not properly handle this scenario. When the NDOB bit is set, the kernel attempts to access the se_cmd->t_data_sg scatter-gather list, which is NULL, leading to a NULL pointer dereference and a crash. This vulnerability arises from a lack of validation for the NDOB bit and zero scatter-gather elements in the WRITE_SAME command handlers. The patch for this issue adds checks to detect the NDOB bit and zero SG elements, preventing the kernel from dereferencing a NULL pointer and thus avoiding the crash. The underlying weakness corresponds to CWE-476 (NULL Pointer Dereference). This vulnerability can cause a denial of service (DoS) by crashing the kernel when a specially crafted WRITE_SAME command with NDOB is issued to a vulnerable Linux system acting as a SCSI target. No known exploits are currently reported in the wild. The affected versions are identified by specific kernel commit hashes, indicating that the issue affects certain Linux kernel versions prior to the patch. No CVSS score has been assigned to this vulnerability yet.

For European organizations, this vulnerability primarily poses a risk of denial of service on systems running vulnerable Linux kernels configured as SCSI targets. Such systems are often found in storage servers, SAN (Storage Area Network) devices, and virtualized environments where Linux acts as a storage target. A successful exploitation could cause the affected system to crash, leading to service interruptions, potential data unavailability, and operational disruption. This can impact critical infrastructure, data centers, cloud service providers, and enterprises relying on Linux-based storage solutions. Although the vulnerability does not directly lead to data corruption or unauthorized access, the resulting downtime could affect business continuity and service level agreements. Given the widespread use of Linux in European IT infrastructure, especially in data centers and cloud environments, the impact could be significant if exploited. However, the lack of known exploits and the requirement for the attacker to send crafted SCSI WRITE_SAME commands to the target limits the attack surface to environments where the attacker has network or physical access to the storage target interface.

European organizations should apply the official Linux kernel patches that address CVE-2022-21546 as soon as they become available for their distributions. Specifically, updating the kernel to a version that includes the fix for the WRITE_SAME NDOB handling is critical. For environments where immediate patching is not feasible, organizations should restrict access to SCSI target interfaces to trusted networks and authenticated users only, minimizing exposure to untrusted actors. Monitoring and logging SCSI commands on storage targets can help detect anomalous WRITE_SAME commands with NDOB bits set. Additionally, organizations should review their storage target configurations to ensure that unnecessary exposure of SCSI target services is minimized, employing network segmentation and access controls. Vendors providing Linux-based storage solutions should be engaged to confirm patch availability and deployment timelines. Finally, maintaining robust backup and recovery procedures will mitigate the impact of potential service disruptions caused by exploitation attempts.