Critical Linux Kernel flaw affects SMB servers with ksmbd enabled

Experts warn of a critical Linux Kernel vulnerability (CVSS score of 10) impacting SMB servers that can lead to remote code execution.

A critical Linux kernel vulnerability (CVSS score of 10) exposes SMB servers with ksmbd enabled to hack. KSMBD is a Linux kernel server that implements SMB3 protocol in kernel space for sharing files over the network. An unauthenticated, remote attacker can execute arbitrary code on vulnerable installations of the Linux Kernel.

The flaw resides in the processing of SMB2_TREE_DISCONNECT commands.

“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable.” reads the advisory published by ZDI. “The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the kernel.”

The vulnerability was discovered on July 26, 2022, by the researchers Arnaud Gatignol, Quentin Minster, Florent Saudel, Guillaume Teissier from the Thalium Team at Thales Group.

The flaw was publicly disclosed on December 22, 2022.

The researcher Shir Tamari, Head of Research at Wiz_IO, SMB servers using Samba are not affected, he also added that SMB servers using ksmbd are vulnerable to read access that could leak server’s memory (similar to the vulnerability Heartbleed).

“ksmbd is new; most users still use Samba and are not affected. Basically, if you are not running SMB servers with ksmbd, enjoy your weekend.” added Tamari.

Admins using ksmbd must update to Linux kernel version 5.15.61, which was released in August, or a newer version.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.