CVE-2023-45896 is a vulnerability in the ntfs3 filesystem driver integrated into the Linux kernel up to version 6.8.0. The flaw arises from an out-of-bounds read condition triggered when mounting a specially crafted NTFS filesystem image. Specifically, a length value used during the mount operation can exceed the allocated memory buffer size, allowing an attacker to read adjacent kernel memory. This vulnerability requires physical proximity because the attacker must provide a malicious NTFS filesystem image, typically via removable media, and the system must allow unprivileged users to mount such media. The attack does not require user interaction beyond mounting the filesystem and does not require elevated privileges beyond those needed to mount the media. The impact includes unauthorized disclosure of kernel memory contents, which could contain sensitive information such as cryptographic keys or credentials, and potential system instability or denial of service due to memory corruption. The supplier notes that if the filesystem image is not attacker-controlled, the vulnerability does not exist, emphasizing the need for physical access or local compromise. The CVSS v3.1 score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) reflects a high severity due to high confidentiality impact and high availability impact, with low attack complexity and limited privileges required. No known exploits have been reported in the wild, but the vulnerability poses a significant risk in environments where removable media usage is common and unprivileged mounting is enabled.

For European organizations, this vulnerability poses a significant risk to confidentiality and availability of Linux systems that support NTFS and allow unprivileged mounting of removable media. Sensitive kernel memory disclosure could lead to leakage of cryptographic keys, user credentials, or other sensitive data, facilitating further attacks or privilege escalation. The availability impact could result in system crashes or denial of service, disrupting critical services. Organizations with operational technology, industrial control systems, or secure environments that rely on Linux and permit removable media usage are particularly vulnerable. The requirement for physical proximity limits remote exploitation but increases risk in shared or public environments, such as offices, data centers, or co-working spaces. The lack of current known exploits provides a window for proactive mitigation, but the high CVSS score indicates urgency in addressing the issue to prevent potential exploitation.

1. Immediately restrict or disable unprivileged mounting of removable media on Linux systems, especially those running kernel versions up to 6.8.0 with ntfs3 support. 2. Apply official kernel patches or updates from Linux distribution vendors as soon as they become available to address CVE-2023-45896. 3. Implement strict physical security controls to prevent unauthorized access to systems and removable media ports. 4. Employ endpoint security solutions that monitor and alert on unusual mount operations or access to removable media. 5. Educate users about the risks of connecting untrusted removable media and enforce policies restricting their use. 6. Use filesystem integrity monitoring tools to detect unauthorized or suspicious filesystem images. 7. Consider disabling NTFS support if not required or restrict mounting to privileged users only. 8. Regularly audit system configurations to ensure compliance with mounting policies and kernel patch levels. These steps go beyond generic advice by focusing on controlling the attack vector (removable media), enforcing privilege restrictions, and enhancing monitoring specific to mount operations.