overview
A critical Linux Kernel vulnerability impacting SMB servers with KSMBD enabled was found. The flaw is located in the processing of SMB2_TREE_DISCONNECT commands and has a CVSS score of 10. Although this kind of “user-after-free” vulnerability is fairly common in software, it is still considered to be severe since it can allow for code execution and replacement.
According to the advisory published by Zero Day Initiative (ZDI), the issue results from the lack of validating existence of an object prior to performing operations on the object. Attackers can use the vulnerability to execute code in the context of the kernel.
ZDI also stated that authentication is not required to exploit the flaw and only systems with KSMBD enabled are vulnerable. The Linux Kernel vulnerability does not have a CVE number yet, but Linux has issued a patch to correct the issue.
According to security researcher Shir Tamari, the ramifications of the vulnerability can be likened to 2014’s Heartbleed - a flaw found in OpenSSL that allowed attackers to trick a vulnerable web server into sending them encryption keys and other sensitive information. Tamari also stated that if your SMB server uses Samba then you’re safe, but if it uses KSMBD then an attacker with read access could leak your server’s memory.
If you are using Linux Kernel 5.15 or above, you are vulnerable. Ubuntu 22.04 and Deppin Linux 20.3 are also considered vulnerable. If you have not done so, Avertium encourages your organization to apply the latest patch for the vulnerability and update to Linux Kernel version 5.15.61.
Avertium recommends the that organizations apply the appropriate patch as soon as possible. You can find patch guidance here.
At this time, there are no known IoCs associated with this vulnerability. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
ZDI-22-1690 | Zero Day Initiative
Linux fixes maximum-severity kernel vulnerability | IT PRO
Log4Shell Timeline & Indicators Of Compromise (Complete Guide) (avertium.com)
Patch now: Serious Linux kernel security hole uncovered | ZDNET
Critical Linux Kernel flaw affects SMB servers with ksmbd enabledSecurity Affairs
https://twitter.com/shirtamari/status/1606031277236187136?s=20&t=Bc2XdD40wc0U90uZQ-CyTw