The security research firm Zero Day Initiative (ZDI) has disclosed a critical vulnerability in the Linux kernel server. The new security exploit, which has a CVSS score of 10, could allow attackers to remotely execute code on vulnerable SMB servers.
The Thalium Team vulnerability research team originally discovered the Linux kernel security flaw back in July 2022. It affects the ksmbd module that was introduced in the Linux kernel version 5.15. The vulnerability exists in the way the SMB2_TREE_DISCONNECT commands are processed. It is caused because ksmbd doesn’t validate the existence of an object before performing any operations.
Ksmbd is an open-source Linux kernel module that implements a Server Message Block (SMB) server for sharing files and IPC services over a network. “This is not meant to replace Samba, but rather be an extension to allow better optimizing for Linux, and will continue to integrate well with Samba user space tools and libraries where appropriate,” the Samba team explained.
The security flaw affects Linux kernel version 5.15 or above
According to the Zero-Day Initiative, the security vulnerability potentially affects Linux kernel 5.15 or higher. The list includes Ubuntu 22.04 and above as well as Deepin Linux 20.3. Security researcher Shir Tamari explained on Twitter that the flaw doesn’t impact customers who are still stuck with Samba.
If you’re still using the experimental ksmbd module, it’s highly recommended to update to Linux kernel version 5.15.61 or newer. The update was released in August and it includes fixes for many other problems. For instance, it patches memory leaks in smb2_handle_negotiate and addresses another bug that could cause message validation issues due to invalid requests.