- Cybersecurity experts urged users to update to the latest Linux kernel to fix a CVSS 10 vulnerability.
- The flaw exists within the processing of SMB2_TREE_DISCONNECT commands and affects only systems with ksmbd enabled.
- The issue results from the lack of validating the existence of an object prior to performing operations on the object and authentication are not required to exploit it.
High-severity vulnerabilities in the Linux kernel are a rare incident, a CVSS 10 vulnerability in the Linux kernel is much more unusual. According to the advisory details on Zero Day Initiative, Linux has recently fixed the vulnerability that has a CVSS score of 10.
ksmbd use-after-free RCE
According to the advisory, the researchers alerted the Linux Foundation about the vulnerability on 26 July 2022, and the coordinated public disclosure was released on 22 December 2022. Security experts advised IT teams to update to the latest Linux kernel version before the holiday break. According to the advisory,
« This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable.
The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the kernel. »
The vulnerability received the maximum severity rating on the common vulnerability reporting system because it allows third parties to execute kernel-level codes. However, experts stated that most businesses and enterprises aren’t affected because the majority of them are using the more popular Samba suite.
The SMB2_TREE_DISCONNECT commands are the requests sent by the client that requests access to a given share on a server. Similar to other use-after-free vulnerabilities, the flaw is in the allocation of dynamic memory in applications, which involves the continuous reallocation of blocks of data within a program. If the header can’t check the sections of the dynamic memory that are available for allocation, it may allow a third party to place their code where data has been cleared.
The vulnerability was discovered by Arnaud Gatignol, Quentin Minster, Florent Saudel, and Guillaume Teissier from Thalium Team.