It’s a happy holiday season with Christmas and New Year around the corner. When all would have a hope of not having any security invident like log4j that just hammered the security community last year. A critical vulnerability in the Linux kernel has been disclosed by the researchers that let remote and unauthenticated hackers execute arbitrary code.
The vulnerability only appears to affect ksmbd, an in-kernel SMB file server that was merged to mainline in the Linux 5.15 release in August 2021; i.e. users running SMB servers via the much more widely deployed Samba, rather than ksmbd, can more likely than not get back their mince pies or other recreational activities unperturbed.
The Linux kernel vulnerability was reported by security researchers at aerospace multinational Thales in July before public disclosure. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the kernel.
Not more details about the CVSS 10 Linux kernel vulnerability were published. The vulnerability was fixed in changelog a54c509c32adba9d136f2b9d6a075e8cae1b6d27 (“ksmbd: fix use-after-free bug in smb2_tree_disconect”).
ksmbd is an in-kernel SMB file server written in the Linux 5.15 release on August 29, 2021. It is intended to provide a lightweight and fast kernel-space module offering server-side SMB3 that’s compatible with user-space tools and libraries.
Red Hat assured that none of its products are affected by the vulnerabilities, as the code is not included in any shipping release. Customers’ OpenShift workloads based on the UBI container base images also do not ship it and do not need to be updated or rebuilt.
The SMB family of protocols is the most widely deployed network file system protocol, the default on Windows and Mac. With clients and servers on all major operating systems, but lacked a kernel server for Linux. For many cases, the current userspace server choices were suboptimal either due to memory footprint, performance, or difficulty integrating well with advanced Linux features.
To see which kernel version you’re running.
$ uname -r
Then, if you’re running the susceptible kernel, to see if the vulnerable module is present and active run:
$ modinfo ksmb
If the module wasn’t found then its safe. If it’s loaded, you’ll want to upgrade to the Linux 5.15.61 kernel.