If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Recently the news broke that a critical vulnerability was identified in the ksmbd module, which is included within an implementation of a file server based on the SMB protocol built into the Linux kernel.
The fault detected allows to remotely achieve code execution with kernel rights. The attack can be carried out without authentication, it is enough that the ksmbd module is activated in the system.
Moment the exact details on the method used to exploit the vulnerability have not been revealed yet The vulnerability is only known to be caused by accessing an already freed (Use-After-Free) memory area due to a failure to check for the existence of an object before performing operations on it.
VULNERABILITY DETAILS
This vulnerability allows remote attackers to execute arbitrary code on affected installations of the Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable.The specific flaw exists within the processing of the SMB2_TREE_DISCONNECT commands. The problem is caused by the lack of validation of the existence of an object before performing operations on the object. An attacker can exploit this vulnerability to execute code in the context of the kernel.
It is mentioned that the problem is related to the fact that in the function smb2_tree_disconnect(), allocated memory was freed for the ksmbd_tree_connect structure, but after that a pointer was still used when processing certain external requests that contained SMB2_TREE_DISCONNECT commands.
In addition to the vulnerability mentioned in ksmbd, 4 less dangerous issues are also fixed:
- ZDI-22-1688 – Remote code execution with kernel rights due to failure to check the actual size of external data before copying it to the allocated buffer in the file attribute processing code. The danger of the vulnerability is mitigated by the fact that the attack can only be performed by an authenticated user.
- ZDI-22-1691 – Kernel memory remote information leak due to incorrect check of input parameters in SMB2_WRITE command handler (attack can only be performed by an authenticated user).
- ZDI-22-1687: Remote denial of service call due to exhaustion of available system memory due to incorrect resource release in SMB2_NEGOTIATE command handler (attack can be carried out without authentication).
- ZDI-22-1689 – Remote kernel failure due to lack of proper verification of SMB2_TREE_CONNECT command parameters, resulting in read out of buffer area (attack can only be performed by authenticated user).
Support for running an SMB server using the ksmbd module has been in the Samba package since version 4.16.0.
Unlike a user-space SMB server, ksmbd is more efficient in terms of performance, memory consumption, and integration with advanced kernel features. Ksmbd is promoted as a high-performance, plug-and-play Samba extension, which integrates with Samba tools and libraries as needed.
The ksmbd code was written by Namjae Jeon of Samsung and Hyunchul Lee of LG, and maintained by Steve French at Microsoft, maintainer of the CIFS/SMB2/SMB3 subsystems in the Linux kernel and longtime member of the team. Samba developer, who has made significant contributions to the implementation of SMB/CIFS protocol support in Samba and Linux.
It is worth mentioning that the problem has been present since kernel 5.15, released in November 2021, and silently fixed in updates 5.15.61, 5.18.18 and 5.19.2, generated in August 2022. Since the issue has not yet been assigned a CVE identifier, there is no exact information yet on how to fix the problem in distributions.
finally if you are interested in knowing more about it, you can check the details In the following link.