Critical Linux Kernel Vulnerability Let Attackers Execute Arbitrary Code Remotely

SMB servers that have ksmbd enabled are vulnerable to hacking due to a major Linux kernel vulnerability (CVSS score of 10). 

KSMBD is a Linux kernel server that uses the SMB3 protocol to share files over the network in kernel space. On vulnerable Linux Kernel installations, an unauthenticated, remote attacker can run any programme.

Linux Kernel ksmbd Use-After-Free RCE

Researchers Arnaud Gatignol, Quentin Minster, Florent Saudel, and Guillaume Teissier from the Thalium Team at Thales Group found the vulnerability on July 26, 2022.

The problem was made known to the public on December 22, 2022.

“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable”, according to the advisory published by ZDI.

According to the reports, the SMB2 TREE DISCONNECT command processing is where the exact flaw is found. 

The problem arises from the failure to validate an object’s existence before performing operations on it. By taking advantage of this flaw, an attacker might execute code within the context of the kernel.

SMB servers using Samba are unaffected, according to researcher Shir Tamari, Head of Research at Wiz IO. He also noted that SMB servers using ksmbd are vulnerable to read access, which could cause server memory to leak (similar to the vulnerability Heartbleed).

“ksmbd is new; most users still use Samba and are not affected. Basically, if you are not running SMB servers with ksmbd, enjoy your weekend.” added Tamari.

Hence, IT teams should do an environmental assessment to make sure any potential vulnerabilities are patched using the most recent Linux release.

Managed DDoS Attack Protection for Applications – Download Free Guide