Vulnerability Details
Just in time for Christmas, we have a 9.6 vulnerability (out of 10) in some Linux Kernels (5.15 and later) which can be exploited for Remote Code Execution (RCE) without authentication on network enabled ports but only on systems where the ksmbd kernel module is enabled are vulnerable.
The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the kernel.
ADDITIONAL DETAILS
Linux has issued an update to correct this vulnerability. More details can be found at:
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.61
Disclosure Timeline
2022-07-26 – Vulnerability reported to vendor
2022-12-22 – Coordinated public release of advisory
CyberHoot Recommendation:
This is a Critical Vulnerability according to our Vulnerability Alert Management Process (VAMP). That’s the bad news. The Good news is that the ksmbd kernel module might not be in use in your distros. Any distro using the Linux kernel 5.15 or above is potentially vulnerable. This includes Ubuntu 22.04, and its descendants; Deepin Linux 20.3; and Slackware 15. For server purposes, Ubuntu is the most concerning. Other enterprise distros, such as the Red Hat Enterprise Linux (RHEL) family, do not use the 5.15 kernel.
Here’s how you check:
$ uname -r
To see which kernel version you’re running.
If you’re running a susceptible kernel, check to see if the vulnerable module is present and actively running:
$ modinfo ksmb
What you want to see is that the module wasn’t found. If it’s loaded, you’ll want to upgrade to the Linux 5.15.61 kernel.
Many distros, unfortunately, have not moved to this kernel release yet. If that’s the case, you’ll need to disable this kernel module until a fix is released.