In the ksmbd module, which offers an implementation of a file server based on the SMB protocol built into the Linux kernel, 14 vulnerabilities have been identified, of which four allow remote code execution with kernel rights. The attack can be carried out without authentication, it is enough that the ksmbd module is activated on the system. Problems appear starting with the 5.15 kernel, which included the ksmbd module. The vulnerabilities were fixed in kernel updates 6.3.2, 6.2.15, 6.1.28 and 5.15.112. You can track the fix in distributions on the following pages: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Gentoo, Arch.
Issues identified:
- CVE-2023-32254, CVE-2023-32250, CVE-2023-32257, CVE-2023-32258 - Remote code execution with kernel rights due to lack of proper object locks when processing external requests containing SMB2_TREE_DISCONNECT, SMB2_SESSION_SETUP, SMB2_LOGOFF and SMB2_CLOSE, resulting in an exploitable race condition. The attack can be carried out without passing authentication.
- CVE-2023-32256 - Contents of kernel memory areas leaked due to a race condition while processing SMB2_QUERY_INFO and SMB2_LOGOFF commands. The attack can be carried out without passing authentication.
- CVE-2023-32252, CVE-2023-32248 - Remote denial of service due to null pointer dereference when processing SMB2_LOGOFF, SMB2_TREE_CONNECT and SMB2_QUERY_INFO commands. The attack can be carried out without passing authentication.
- CVE-2023-32249 - Possibility of user session hijacking due to lack of proper isolation when processing session id in multichannel mode.
- CVE-2023-32247, CVE-2023-32255 - Denial of service due to a memory leak while processing the SMB2_SESSION_SETUP command. The attack can be carried out without passing authentication.
- CVE-2023-2593 - Denial of service due to exhaustion of available memory, caused by a bug that causes memory not to be returned when processing new TCP connections. The attack can be carried out without passing authentication.
- CVE-2023-32253 - Denial of service due to a deadlock occurring while processing the SMB2_SESSION_SETUP command. The attack can be carried out without passing authentication.
- CVE-2023-32251 - No protection against brute force attacks.
- CVE-2023-32246 - A local system user with the right to unload the ksmbd module can cause their code to be executed at the Linux kernel level.
In addition, 5 more vulnerabilities were identified in the ksmbd-tools package, which includes utilities for managing and working with ksmbd that run in user space. The most dangerous vulnerabilities (ZDI-CAN-17822, ZDI-CAN-17770, ZDI-CAN-17820, CVE not yet assigned) allow a remote unauthenticated attacker to execute his code as root. The vulnerabilities are caused by the lack of checking the size of received external data before copying it to the buffer in the WKSSVC service code and in the LSARPC_OPNUM_LOOKUP_SID2 and SAMR_OPNUM_QUERY_USER_INFO opcode handlers. Two more vulnerabilities (ZDI-CAN-17823, ZDI-CAN-17821) can lead to remote denial of service without authentication.
Ksmbd is touted as a high-performance, embedded-ready extension to Samba, integrating with Samba tools and libraries as needed. Support for running an SMB server using the ksmbd module has been included in the Samba package since release 4.16.0. Unlike a user-space SMB server, ksmbd is more efficient in terms of performance, memory consumption, and integration with advanced kernel features. Steve French of Microsoft, maintainer of the CIFS/SMB2/SMB3 subsystems in the Linux kernel and a longtime member of the Samba development team, has made significant contributions to the implementation of SMB/CIFS protocol support in Samba and Linux.
Additionally, two vulnerabilities can be noted in the vmwgfx graphics driver used to implement 3D acceleration in VMware environments. The first vulnerability (ZDI-CAN-20292) allows a local user to elevate their privileges in the system. The vulnerability is caused by the lack of checking the state of the buffer before freeing when processing the vmw_buffer_object object, which can lead to a double call to the free function. The second vulnerability (ZDI-CAN-20110) leaks the contents of the kernel memory due to errors in organizing the locking of GEM objects.
Source: opennet.ru