Updated at 4:29 p.m. BST, December 23. Fixes the changelog. Thanks to the security researcher who pointed this out. Removed reference to a DM that had not been allowed to be registered, with apologies.
Every security researcher just knew a terrible vulnerability was going to be thrown into the mix just as people were winding down for the holidays and it seemed for a moment that it might have landed: A Critical Vulnerability (CVSS 10) in the Linux kernel that allows remote, unauthenticated hackers to execute arbitrary code? Yeah.
Before Linux users everywhere are panicked, however, there is more positive news: the vulnerability only appears to affect ksmbd, an in-kernel SMB file server that has been merged into the mainline in the Linux release. 5.15 in August 2021; that is, users running SMB servers on the much more widely deployed Samba, rather than ksmbd, can most likely recover their hash pies or other recreational activities undisturbed.
(Its existence was a time I told you for those who raised concerns about the inclusion of ksmbd in the Linux kernel. As noted by a commenter in a Hackernews debate at the time of the ksmbd merger: “The storage industry has spent literally millions of development hours over the past decade migrating kernel functions to user space for reliability, performance, and of security. An SMB server in the kernel is not a good idea.)
Slowing down: Critical Linux kernel vulnerability ksmbd what?
The Linux kernel vulnerability was reported by security researchers at multinational aerospace company Thales in July, before being made public today. ZDI noted in another article published December 22 that “the specific flaw exists in the processing of SMB2_TREE_DISCONNECT commands. The problem results from not validating the existence of an object before performing operations on the object. An attacker can exploit this vulnerability to execute code in the context of the kernel…,” the Bug Bounty program operator added.
He credits Arnaud Gatignol, Quentin Minster, Florent Saudel, Guillaume Teissier of the Thalium red team from Thales.
The battery attempted to reach the researchers to discuss the bug, but did not get a response as we posted. Details about the Linux CVSS 10 kernel vulnerability were also thin when we published: just the 68-word ZDI advisory and an online changelog. (We couldn’t even spot a CVE: Let us know if we missed it.)
The vulnerability has been addressed in changelog a54c509c32adba9d136f2b9d6a075e8cae1b6d27 (“ksmbd: fix use-after-free bug in smb2_tree_disconect”).
What is ksmbd?
ksmbd is an in-kernel SMB file server largely written by a team at Samsung Electronics led by Namjae Jeon who was merged with the main line in the Linux 5.15 release on August 29, 2021. It is intended to provide a lightweight and fast kernel space module offering server-side SMB3 compatible user space tools and libraries.
Security researchers were quick to dig into the bug: Shir Tamari, head of research at cloud security firm Wiz, Noted“If your SMB server is using Samba, you’re safe.” If using ksmbd, an attacker with read access could leak your server’s memory (similar to Heartbleed). ksmbd is new; Most users are still using Samba and are unaffected.
Red Hat Comment
Red Hat, Enterprise Linux heavyweight reassured customers: “No Red Hat product is affected by the ksmb vulnerabilities, because the code is not included in any release version. Customer OpenShift workloads based on UBI container base images also do not ship and do not need to be updated or rebuilt.
“These defects do not affect any of the laminate products. Red Hat Enterprise Linux takes a conservative approach to including untested code in released products. New features are only included once deemed stable and tested and this new feature has not yet met that requirement,” he added in a short note.
The initial ksmbd merge notes stated: “The SMB protocol family is the most widely deployed network file system protocol, the default protocol on Windows and Mac…with clients and servers on all major computer systems. exploitation, but it lacks a kernel server for Linux. In many cases, current userspace server choices were not optimal, either due to memory footprint, performance, or difficulty integrating well with advanced Linux features…
“Target [of ksmbd] is to provide optimized performance, GPLv2 SMB server, better lease management (distributed caching) [and add features that are] easier to develop on a smaller, more tightly optimized kernel server than, for example, in Samba [which is] a much broader scope (tools, security services, LDAP, Active Directory domain controller, and a cross-platform file server for a wider variety of purposes), but the file server part of Samba’s user space is has proven difficult to optimize for some Linux workloads, including small devices.
“This is not intended to replace Samba, but rather to be an extension to allow better optimization for Linux, and will continue to integrate well with Samba userspace tools and libraries.” [Samba is a suite of applications that implements the SMB) protocol and enables Linux / Unix machines to communicate with Windows machines.]
A person familiar with the original commit said, “Most people are running the LTS (Long Term Stable) kernel release, and all issues reported by ZDI are fixed, fixes have been pushed to those kernel releases. We provide fixes quickly when issues are reported, so I don’t think ksmbd users need worry too much.
Accept? To disagree? Concerns about the Linux kernel attack surface? Enter into a contract.
0 Comments