Just what every Linux system administrator wants just before the holidays: A serious Linux kernel security bug. The Zero Day Initiative (ZDI), a zero-day security research firm, announced a new Linux kernel security bug. This hole allows authenticated remote users to disclose sensitive information and run code on vulnerable Linux kernel versions.
Also: Cybersecurity: These are the new things to worry about in 2023
How bad is it? Originally, the ZDI rated it a perfect 10 on the 0 to 10 common Vulnerability Scoring System (CVSS) scale. Now, the hole’s “only” a 9.6. That still counts as a “Patch it! Patch it now!” bug on anyone’s Linux server.
The problem lies in the Linux 5.15 in-kernel Server Message Block (SMB) server, ksmbd. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the kernel context.
This new program, which was introduced to the kernel in 2021, was developed by Samsung. Its point was to deliver speedy SMB3 file-serving performance. SMB is used in Windows in Linux, via Samba as a vital file server protocol. Ksmbd is not intended to replace Samba but to complement it. Samba and ksmbd developers are working on getting the programs to work in concert.
That said, Jeremy Allison, Samba’s co-creator, notes, “ksmbd shares no code with production Samba. It’s completely from scratch. So, this current situation has nothing to do with the Samba file server you may be running on your systems.”
Any distro using the Linux kernel 5.15 or above is potentially vulnerable. This includes Ubuntu 22.04, and its descendants and Deepin Linux 20.3. For server purposes, Ubuntu is the most concerning. Other enterprise distros, such as the Red Hat Enterprise Linux (RHEL) family, do not use the 5.15 kernel. Not sure? Just run:
$ uname -r
To see which kernel version you’re running.
Then, if you’re running the susceptible kernel, to see if the vulnerable module is present and active run:
$ modinfo ksmb
What you want to see is that the module wasn’t found. If it’s loaded, you’ll want to upgrade to the Linux 5.15.61 kernel. Many distros, unfortunately, have not moved to this kernel release yet.
Some people have wondered if this is such a big deal, then why hasn’t it been given a Common Vulnerabilities and Exposures (CVE) number? Greg Kroah-Hartmann, the stable branch Linux kernel maintainer, explained, “kernel developers do not work with CVEs at all as they are not all that relevant for the most part for kernel issues.” True, “Some Linux companies still insist on assigning CVEs, but that’s primarily to help enable their internal engineering processes.”
Also: Want Deepin Desktop without privacy worries? Try ExTiX Linux
Others are concerned that such a problem could exist in a kernel program in the first place. As one person put it on Ycombinator, this “seems like a quite significant (external) attack surface to add to the kernel.” He’s not wrong. Windows SMB implementations have a long, ugly security history. In 2020, for example, SMBGhost, aka CoronaBlue, opened up Windows 10 PCs to SMB security attacks.
It’s not just outsiders that have been concerned about ksmbd’s security. Before this episode, Kees Cook, a senior Linux kernel security developer, wrote, “Some of these flaws are pretty foundational filesystem security properties that weren’t being tested for, besides the upsetting case of having buffer overflows in an in-kernel filesystem server.” Cook concluded, “I’m concerned about code quality here, and I think something needs to change about the review and testing processes.”
Fixes were made, but this latest episode shows that the code needs more cleaning and securing before I, for one, am ready to trust it in production. You’d be wise to patch the kernel for now and hold off using it, too, in favor of Samba for the time being.