Vulnerability in KSMBD module Linux nucleus, which allows you to remotely execute its code

In the KSMBD module, which includes the implementation of the file server built into the Linux nucleus based on the SMB protocol, Releted in updates 5.15.61, 5.18.18 and 5.19.2, formed in August 2022. Since the CVE identifier has not yet been assigned to the problem, there is no accurate information about the elimination of the problem in the distributions yet.

The details of the exploitation of vulnerability are not yet disclosed, it is only known that the vulnerability is caused by the appeal to the already released area of ​​memory (USE-AFTER-FREE) due to the lack of verification of the existence of the object before performing operations with it. The problem is due to the fact that the memory of the SMB2_TREE_DISCONNECT () Memory made for the structure of the KSMBD_TREE_CONNECT structure, but after that there was still a pointer used in the processing of certain external requests containing SMB2_TREE_DISCONNECT commands.

In addition to the mentioned vulnerability, 4 less dangerous problems are also corrected in KSMBD:

  • zdi-22-1688 -remote execution of the core with the rights of the nucleus due to the absence in the code Processing attributes of files for verification of the actual size of external data before copying to the selected buffer. The danger of vulnerability smooths out that the attack can be carried out only by an authenticated user.
  • zdi-22-1691 -remote leakage of information from the nucleus due to an incorrect verification of input The parameters in the processor of the SMB2_Write command (the attack can only be carried out by an authenticated user).
  • zdi-22-1687 -remote call to service through the exhaustion of memory available in the system of memory from -the incorrect release of resources in the processor of the SMB2_negotiate team (an attack can be carried out without authentication).
  • zdi-22-1689 -remote challenge of the collapse of the nucleus due to the lack of proper verification of team parameters SMB2_TREE_CONNECT, leading to reading from the region outside the buffer (the attack can be carried out only by an authenticated user).
/Media reports cited above.