Cybercrime , Cybercrime as-a-service , Endpoint Security
Linux Critical Kernel-Level Bug Affects SMB ServersVulnerability With CVSS Score of 10 Affects KSMBD-Enabled Servers
A critical vulnerability in a Linux kernel server used for file sharing may allow attackers to remotely hack into a system with maximum execution privileges.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The vulnerability, which has a CVSS score of 10, affects KSMBD-enabled servers. KSMBD is a Linux kernel server that allows employees to share files across an internal network.
An unauthenticated user could exploit the vulnerability to execute kernel-level arbitrary code on the vulnerable systems, according to Trend Micro's Zero Day Initiative.
Since the KSMBD module is not as popular as the Samba suite, the potential impact of the vulnerability may be limited despite its severity, says Shir Tamari, head of research at Wiz, a cloud security startup. "The vulnerability only affects SMB servers using the experimental ksmbd module introduced in Linux 5.15. If your SMB server uses Samba, you're safe," Tamari says.
The vulnerability is found in the processing of
SMB2_TREE_DISCONECT/SMB2_WRITE commands. "The issue results from the lack of validating the existence of an object prior to performing operations on the object," the report says.
Those using KSMBD must update their software to Linux kernel version 5.15.61 or later. The changelog comprises additional details.
This type of vulnerability is classified as a "use-after-free" bug, according to Linux's changelog. Kaspersky defines UAF as a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.
Tamari compared this vulnerability's exploitation to that of the popular OpenSSL flaw dubbed Heartbleed, from 2014. Heartbleed exposed a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the internet for applications such as web, email, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know).
The bug allowed anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software, similar to what the SMB server allows its attackers to do.
The latest kernel-level vulnerability was reported to Linux on July 26 by researchers Arnaud Gatignol, Quentin Minster, Florent Saudel and Guillaume Teissier. They're all members of the Thalium Team, a division of Thales focused on threat intelligence, vulnerability research and red team development.