A Vulnerability in KSMBD for Linux Could Allow for Remote Code Execution

guest · Dec 31, 2022

MS-ISAC ADVISORY NUMBER: 2022-147

DATE(S) ISSUED: 12/26/2022
OVERVIEW:
A vulnerability have been discovered in KSMBD for Linux that could allow for remote code execution. KSMBD is a Linux kernel daemon which implements the SMB3 protocol in kernel space for sharing files over a network. Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of a remote unauthenticated user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
THREAT INTELLIGENCE:
Linux is un-aware that an exploit for CVE-2022-47939 exists in the wild.
Click to expand...

SYSTEMS AFFECTED:

SMBD for Linux as installed on Linux kernel versions 5.15 through 5.19 before 5.19.2

RedHat has confirmed there products are not affected

Ubuntu/Debian has confirmed there are some affected products but exploitation requires KSMBD to be enabled, which requires ksmbd-tools to be installed, which is not by default

Click to expand...

guest · Dec 31, 2022

Back to work, Linux admins: You may have a CVSS 10 kernel bug to address
By Brandon Vigliarolo - December 24, 2022

IN BRIEF Merry Christmas, Linux systems administrators: here's a kernel vulnerability with a CVSS score of 10 potentially in your SMB server. It can be exploited to achieve unauthenticated user remote code execution.
Click to expand...

Yes, this sounds bad, and a severity score of 10 out of 10 isn't reassuring at all. Luckily for the sysadmins reaching for more brandy to pour in that eggnog, the flaw doesn't appear to be that widespread.

Discovered the Thalium Team vulnerability research team at French aerospace firm Thales Group in July, the vulnerability is specific to the ksmbd module that was added to the Linux kernel in version 5.15. Disclosure was responsibly held until a patch was issued.
Click to expand...

According to the Zero-Day Initiative, which disclosed the ksmbd vulnerability, the use-after-free flaw exists in the processing of SMB2_TREE_DISCONNECT commands. According to ZDI, the issue is due to ksmbd not validating the existence of objects prior to performing operations on them.

For those using ksmbd, there is a solution other than switching to Samba: Updating to Linux kernel version 5.15.61, released in August, or a newer version.
Click to expand...

Log in or Sign up

A Vulnerability in KSMBD for Linux Could Allow for Remote Code Execution

guest Guest

guest Guest

Log in or Sign up

A Vulnerability in KSMBD for Linux Could Allow for Remote Code Execution

guest Guest

guest Guest

Useful Searches