Last summer, Thales Group specialists discovered a critical bug (CVE-2022-47939) in the ksmbd module of the Linux kernel, which was added to the kernel in version 5.15. This bug received a score of 10 out of 10 on the CVSS vulnerability rating scale, and its exploitation allows an unauthenticated user to remotely execute arbitrary code.
Let me remind you that ksmbd is a file server built on the basis of the SMB3 protocol, which is a simple alternative to Samba. It was created by Samsung and LG engineers and is focused on higher performance and new features. ksmbd was added to the core in 2021.Let me remind you that we also wrote that Dirty Pipe Vulnerability Allows Rooting Almost All Linux Distributions, and also that Experts Found More than 200 Miner Packages for Linux Systems in PyPI and npm Repositories.
The disclosure of data on this vulnerability was postponed for almost half a year: due to the high risk of the bug, the researchers decided to wait for the release of the patch.
As it turned out, the root of the problem lay in the fact that ksmbd runs in the kernel itself, and not in userspace (userspace). Last year, this fact caused concern among some users and experts. For example, the German company SerNet, which offers its own version of Samba, wrote in a blog that ksmbd is impressive, but so far it can be called immature.
And the Samba+ team at SerNet reported that adding an SMB server to the kernel space and wanting to “squeeze that extra bit of performance out of the available hardware” hardly justifies the risks involved.
It has now been revealed that a vulnerability in ksmbd could lead to an SMB server memory leak, similar to the infamous Heartbleed issue. According to experts from the Zero-Day Initiative, the vulnerability is of the use-after-free type and occurs when processing SMB2_TREE_DISCONNECT commands. Essentially, the problem is that ksmbd does not validate the existence of objects before performing operations on them.
As information security researcher Shir Tamari notes on Twitter, the bug does not affect those who do not use the “experimental ksmbd module”, but rely on Samba.
Those who still use ksmbd do not need to switch to Samba at all either: they can upgrade the Linux kernel to version 5.15.61 released in August (or newer), where the vulnerability was fixed.
By the way, there was information in the media that Experts note the growing interest of cybercriminals in Linux systems.