Vulnerability details
Just in time for Christmas, we have a 9.6 (out of 10) vulnerability in some Linux kernels (5.15 and later) that can be exploited for remote code execution (RCE) without authentication on ports that support networking but only on systems where the ksmbd kernel module is enabled.
The specific flaw exists in the processing of SMB2_TREE_DISCONNECT commands. The problem stems from the lack of verification of the existence of an object before performing operations on the object. An attacker could leverage this vulnerability to execute code in the kernel context.
More details
Linux has released an update to fix this vulnerability. More details can be found at:
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.61
Exposure timeline
2022-07-26 – Vulnerability reported to the provider
2022-12-22 – Coordinated public release of advice
CyberHoot recommendation:
This is a critical vulnerability according to our Vulnerability Alert Management Process (VAMP). This is the bad news. The good news is that the ksmbd kernel module may not be used in your distributions. Any distribution using Linux kernel 5.15 or higher may be vulnerable. This includes Ubuntu 22.04, and its descendants; Deepin Linux 20.3; and Slackware 15. For server purposes, Ubuntu is of most concern. Other enterprise distributions, such as the Red Hat Enterprise Linux (RHEL) family, do not use the 5.15 kernel.
This is how you check:
$ uname -r
To see what kernel version you are running.
If you are running a sensitive kernel, check if the vulnerable module is present and actively running:
$ modinfo ksmb
What you want to see is that the module is not found. If it loads, you’ll want to upgrade to the Linux 5.15.61 kernel.
Many distributions, unfortunately, have not yet moved to this kernel version. If this is the case, you will need to disable this kernel module until a patch is released.
