A critical vulnerability has been identified in the ksmbd module, which includes an implementation of a file server based on the SMB protocol built into the Linux kernel, that allows remote code execution with kernel rights. The attack can be carried out without authentication, it is enough that the ksmbd module is activated on the system. The problem has been present since kernel 5.15, released in November 2021, and was quietly fixed in updates 5.15.61, 5.18.18, and 5.19.2, generated in August 2022. Since the problem has not yet been assigned a CVE identifier, there is no exact information about fixing the problem in the distributions yet.
Details about the exploitation of the vulnerability have not yet been disclosed, it is only known that the vulnerability is caused by accessing an already freed memory area (Use-After-Free) due to the lack of checking the existence of an object before performing operations with it. The problem is related to the fact that in the smb2_tree_disconnect() function, the memory allocated for the ksmbd_tree_connect structure was freed, but after that there was still a pointer used when processing certain external requests containing SMB2_TREE_DISCONNECT commands.
In addition to the mentioned vulnerability in ksmbd, 4 less dangerous problems are also fixed:
- ZDI-22-1688 - remote code execution with kernel rights due to the lack of checking the actual size of external data in the file attribute processing code before copying it to the allocated buffer. The danger of the vulnerability is mitigated by the fact that the attack can only be carried out by an authenticated user.
- ZDI-22-1691 - remote information leak from kernel memory due to incorrect check of input parameters in the SMB2_WRITE command handler (the attack can only be carried out by an authenticated user).
- ZDI-22-1687 - remote denial of service through the exhaustion of available memory in the system due to incorrect release of resources in the SMB2_NEGOTIATE command handler (the attack can be carried out without authentication).
- ZDI-22-1689 - remote call to crash the kernel due to the lack of proper check of the parameters of the SMB2_TREE_CONNECT command, leading to reading from an out-of-buffer area (the attack can only be carried out by an authenticated user).
Support for running an SMB server using the ksmbd module has been included in the Samba package since release 4.16.0. Unlike a user-space SMB server, ksmbd is more efficient in terms of performance, memory consumption, and integration with advanced kernel features. Ksmbd is touted as a high-performance, embedded-ready extension to Samba, integrating with Samba tools and libraries as needed. The ksmbd code was written by Samsung's Namjae Jeon and LG's Hyunchul Lee, and maintained in the kernel by Microsoft's Steve French, maintainer of the CIFS/SMB2/SMB3 subsystems in the Linux kernel and longtime member of the Samba development team, who contributed significantly contribution to the implementation of support for SMB/CIFS protocols in Samba and Linux.
Source: opennet.ru