A critical vulnerability (CVE-2022-47939) has been identified in the ksmbd module, which includes an implementation of a file server based on the SMB protocol built into the Linux kernel. The attack can be carried out without authentication, it is enough that the ksmbd module is activated on the system. The problem has been manifest since kernel 5.15, released in November 2021, and was quietly fixed in updates 5.15.61, 5.18.18 and 5.19.2, formed in August 2022. You can track the fix in distributions on the following pages: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Gentoo, Arch.
Details about the exploitation of the vulnerability have not yet been disclosed, it is only known that the vulnerability is caused by accessing an already freed memory area (Use-After-Free) due to the lack of checking the existence of an object before performing operations with it. The problem is related to the fact that in the smb2_tree_disconnect() function, the memory allocated for the ksmbd_tree_connect structure was freed, but after that there was still a pointer used when processing certain external requests containing SMB2_TREE_DISCONNECT commands.
In addition to the mentioned vulnerability in ksmbd, 4 less dangerous problems are also fixed:
ZDI-22-1688 (CVE-2022-47942) – remote code execution with kernel rights due to the fact that the file attribute processing code does not check the actual size of external data before copying it to the allocated buffer. The danger of the vulnerability is mitigated by the fact that the attack can only be carried out by an authenticated user.
ZDI-22-1691 (CVE-2022-47940) – remote information leak from kernel memory due to incorrect validation of input parameters in the SMB2_WRITE command handler (the attack can only be carried out by an authenticated user).
ZDI-22-1687 (CVE-2022-47941) – remote denial of service call due to the exhaustion of available memory in the system due to incorrect release of resources in the SMB2_NEGOTIATE command handler (the attack can be carried out without authentication).
ZDI-22-1689 (CVE-2022-47938) – Remote kernel crash due to lack of proper check of SMB2_TREE_CONNECT command parameters, resulting in reading from an out-of-buffer area (attack can only be carried out by an authenticated user).
Support for running an SMB server using the ksmbd module has been included in the Samba package since release 4.16.0. Unlike a user-space SMB server, ksmbd is more efficient in terms of performance, memory consumption, and integration with advanced kernel features. Ksmbd is touted as a high-performance, embedded-ready extension to Samba, integrating with Samba tools and libraries as needed. The ksmbd code was written by Samsung’s Namjae Jeon and LG’s Hyunchul Lee, and maintained in the kernel by Microsoft’s Steve French, maintainer of the CIFS/SMB2/SMB3 subsystems in the Linux kernel and longtime member of the Samba development team.