Critical Remote Code Execution Vulnerability in Linux Kernel

Linux machines running distributions powered by kernels prior to 5.15.61 are affected by use after free flaw, related to ksmbd, exposing vulnerable systems to remote attacks.

KSMBD is an open-source In-kernel CIFS/SMB3 server created by Namjae Jeon for Linux Kernel. It’s an implementation of SMB/CIFS protocol in kernel space for sharing files and IPC services over the network. Initially, the target is to provide improved file I/O performances, but the bigger goal is to have some new features which are much easier to develop and maintain inside the kernel and expose the layers fully.

Potential attackers could exploit the security vulnerability found in the Linux kernel’s SMB2_TREE_DISCONNECT commands to trigger to execute code remotely on vulnerable Linux machines.

The remotely exploitable vulnerability (ZDI-22-1690) has been assigned a 10 critical severity base score by NIST’s NVD, and it could be abused by unauthenticated attackers.

“The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the kernel,” reads the Zeroday Initiative website.

The Linux kernel developers issued a patch for the remote code execution issue during late-Jul and fixed the flaw in the Linux kernel 5.15.61 version.

Another remote code execution vulnerability in the Linux kernel (ZDI-22-1688) has been assigned an 8.5 high severity base score by NIST’s NVD, and also affects ksmbd. Authentication is required to exploit this vulnerability.

The three vulnerabilities can lead to information leaks and denials of service:

• ZDI-22-1691 (CVSS score: 9.6): Linux Kernel ksmbd Out-Of-Bounds Read Information Disclosure Vulnerability
• ZDI-22-1689 (CVSS score: 6.5): Linux Kernel ksmbd Out-Of-Bounds Read Denial-of-Service Vulnerability
• ZDI-22-1687 (CVSS score: 5.3): Linux Kernel ksmbd Memory Exhaustion Denial-of-Service Vulnerability

Arnaud Gatignol, Quentin Minster, Florent Saudel, and Guillaume Teissier (@thalium_team) have been credited for these vulnerabilities.

If you have already installed the Linux kernel 5.15.61 versions and applied the commit, your device can’t be compromised in attacks exploiting these bugs.

Update on December 24th:

Mitre has assigned the following CVEs:

• ZDI-22-1687 – CVE-2022-47941
• ZDI-22-1688 – CVE-2022-47942
• ZDI-22-1689 – CVE-2022-47938
• ZDI-22-1690 – CVE-2022-47939
• ZDI-22-1691 – CVE-2022-47940