Flash Notice: Critical Linux Kernel Vulnerability Can Lead to Remote Code Execution

overview

A critical Linux Kernel vulnerability impacting SMB servers with KSMBD enabled was found. The flaw is located in the processing of SMB2_TREE_DISCONNECT commands and has a CVSS score of 10. Although this kind of “user-after-free” vulnerability is fairly common in software, it is still considered to be severe since it can allow for code execution and replacement.  

According to the advisory published by Zero Day Initiative (ZDI), the issue results from the lack of validating existence of an object prior to performing operations on the object. Attackers can use the vulnerability to execute code in the context of the kernel.  

ZDI also stated that authentication is not required to exploit the flaw and only systems with KSMBD enabled are vulnerable. The Linux Kernel vulnerability does not have a CVE number yet, but Linux has issued a patch to correct the issue.  

According to security researcher Shir Tamari, the ramifications of the vulnerability can be likened to 2014’s Heartbleed - a flaw found in OpenSSL that allowed attackers to trick a vulnerable web server into sending them encryption keys and other sensitive information. Tamari also stated that if your SMB server uses Samba then you’re safe, but if it uses KSMBD then an attacker with read access could leak your server’s memory.  

If you are using Linux Kernel 5.15 or above, you are vulnerable. Ubuntu 22.04 and Deppin Linux 20.3 are also considered vulnerable. If you have not done so, Avertium encourages your organization to apply the latest patch for the vulnerability and update to Linux Kernel version 5.15.61. 

How Avertium is Protecting Our CUSTOMERS

• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. 
• Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
• Avertium offers Zero Trust Architecture, like AppGate, to stop malware lateral movement.  
• Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 

Avertium's recommendations    

Avertium recommends the that organizations apply the appropriate patch as soon as possible. You can find patch guidance here.  

indicators of compromise (ioCs)  

At this time, there are no known IoCs associated with this vulnerability. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.