Pierluigi Paganini December 25, 2022

Experts warn of a critical Linux Kernel vulnerability (CVSS score of 10) impacting SMB servers that can lead to remote code execution.

A critical Linux kernel vulnerability (CVSS score of 10) exposes SMB servers with ksmbd enabled to hack. KSMBD is a Linux kernel server that implements SMB3 protocol in kernel space for sharing files over the network. An unauthenticated, remote attacker can execute arbitrary code on vulnerable installations of the Linux Kernel.

The flaw resides in the processing of SMB2_TREE_DISCONNECT commands.

“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable.” reads the advisory published by ZDI. “The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the kernel.”

The vulnerability was discovered on July 26, 2022, by the researchers Arnaud Gatignol, Quentin Minster, Florent Saudel, Guillaume Teissier from the Thalium Team at Thales Group.

The flaw was publicly disclosed on December 22, 2022.

The researcher Shir Tamari, Head of Research at Wiz_IO, SMB servers using Samba are not affected, he also added that SMB servers using ksmbd are vulnerable to read access that could leak server’s memory (similar to the vulnerability Heartbleed).

“ksmbd is new; most users still use Samba and are not affected. Basically, if you are not running SMB servers with ksmbd, enjoy your weekend.” added Tamari.

Admins using ksmbd must update to Linux kernel version 5.15.61, which was released in August, or a newer version.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)

[adrotate banner=”5″]

[adrotate banner=”13″]