Will this CVSS 10 Linux Kernel vuln ruin your holiday?
We're hopeful that Betteridge's law applies...
Updated 16:29 BST, December 23. Corrects changelog. Thanks to the security researcher on who flagged this. Removes reference to a DM that had not been cleared to be on-the-record, with apologies.
Every security researcher just knew some god-awful vulnerability was going to get lobbed into the mix just as people wind down for the holiday and it looked for a moment like it might have landed: A critical (CVSS 10) vulnerability in the Linux kernel that lets remote and unauthenticated hackers execute arbitrary code? Yikes.
Before Linux users worldwide get panties in a panicked bunch, there's more positive news however: The vulnerability only appears to affect ksmbd, an in-kernel SMB file server that was merged to mainline in the Linux 5.15 release in August 2021; i.e. users running SMB servers via the much more widely deployed Samba, rather than ksmbd can more likely than not get back their mince pies or other recreational activities unperturbed.
(Its existence has been an I-told-you-so moment for those who raised concerns about ksmbd's inclusion in the Linux kernel. As one commentator had noted in a Hackernews debate at the time of ksmbd's merge: "The storage industry has spent literally millions of developer hours over the past decade migrating functions from kernel to user space for reliability, performance, and security reasons. An SMB server in the kernel is not a good idea.)
Slow down: Critical Linux kernel vulnerability ksmbd what?
The Linux kernel vulnerability was reported by security researchers at aerospace multinational Thales in July, before public disclosure today. The ZDI noted in a terse writeup published December 22 that “the specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the kernel…” the bug bounty programme operator added.
It credited Arnaud Gatignol, Quentin Minster, Florent Saudel, Guillaume Teissier of Thales’ Red Team Thalium.
The Stack attempted to reach the researchers to discuss the bug, but had not got a response as we published. Details about the CVSS 10 Linux kernel vulnerability were also thin as we published: Just the 68-word ZDI advisory and a change log online. (We couldn’t even spot a CVE: Let us know if we missed it.)
The vulnerability was fixed in changelog a54c509c32adba9d136f2b9d6a075e8cae1b6d27 ("ksmbd: fix use-after-free bug in smb2_tree_disconect").
What's ksmbd?
ksmbd is an in-kernel SMB file server largely written by a team at Samsung Electronics led by Namjae Jeon that was merged to mainline in the Linux 5.15 release on August 29, 2021. It is intended to provide a lightweight and fast kernel-space module offering server-side SMB3 that’s compatible with user-space tools and libraries.
Security researchers were quick to dig into the bug: Shir Tamari, Head of Research at cloud security firm Wiz, noted: “If your SMB server uses Samba, you're safe. If it uses ksmbd, an attacker with read access could leak your server's memory (similar to Heartbleed). ksmbd is new; most users still use Samba and are not affected.”
Comment from Red Hat
Enterprise Linux heavyweight Red Hat reassured customers: "No Red Hat products are affected by the ksmb
vulnerabilities, as the code is not included in any shipping release. Customers’ OpenShift workloads based on the UBI container base images also do not ship it and do not need to be updated or rebuilt.
"These flaws do not affect any of the layered products. Red Hat Enterprise Linux takes a conservative approach to including untested code in released products. New features are only included once considered stable and tested and this new functionality has not yet met this requirement" it added in a short note.
The initial ksmbd merge notes said: “The SMB family of protocols is the most widely deployed network file system protocol, the default on Windows and Macs... with clients and servers on all major operating systems, but lacked a kernel server for Linux. For many cases the current userspace server choices were suboptimal either due to memory footprint, performance or difficulty integrating well with advanced Linux features…
"The target [of ksmbd] is to provide optimized performance, GPLv2 SMB server, better lease handling (distributed caching) [and add features that are] easier to develop on a smaller, more tightly optimized kernel server than for example in Samba [which is] much broader in scope (tools, security services, LDAP, Active Directory Domain Controller, and a cross platform file server for a wider variety of purposes) but the user space file server portion of Samba has proved hard to optimize for some Linux workloads, including for smaller devices.
"This is not meant to replace Samba, but rather be an extension to allow better optimizing for Linux, and will continue to integrate well with Samba user space tools and libraries.” [Samba is a suite of applications that implements the SMB) protocol and enables Linux / Unix machines to communicate with Windows machines.]
One person close to the initial commit said: "Most people are using the LTS (Long Term Stable) kernel version, and all issues reported by ZDI are fixed, the patches have been propagate to that kernel versions. We provide patches quickly when problems are reported, so I don't think ksmbd users need to worry too much."
Agree? Disagree? Concerns about Linux kernel attack surface? Get in touch.