If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Information was recently released that a Linux kernel vulnerability was discovered with a CVSS score of 10 on the SMB server, giving an unauthenticated user the ability to remotely execute code.
The bug found allows remote attackers to execute arbitrary code on affected installations. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable.
The specific flaw exists in the processing of the SMB2_TREE_DISCONNECT commands. The problem results from not validating that an object exists before performing operations on that object. An attacker can exploit this vulnerability to execute code in the context of the kernel.
VULNERABILITY DETAILS
This vulnerability allows remote attackers to execute arbitrary code on affected installations of the Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable.The specific flaw exists within the processing of the SMB2_TREE_DISCONNECT commands. The problem is caused by the lack of validation of the existence of an object before performing operations on the object. An attacker can exploit this vulnerability to execute code in the context of the kernel.
It is mentioned that depending on the type of SMB request, each new thread may decide to pass commands to user space (ksmbd.mountd); currently, DCE/RPC commands are identified to be handled by user space. To make better use of the Linux kernel, it was decided to treat the commands as work items and execute them in the ksmbd -io kworker thread handlers.
This allows managers to multiplex because the kernel takes care of starting additional worker threads if the load increases and vice versa, if the load decreases, it kills the additional worker threads.
When the server daemon starts, it starts a fork thread (ksmbd/interface name) at boot time and opens a dedicated port 445 to listen for SMB requests. Each time new clients make a request, the forker thread accepts the client's connection and creates a new thread for a dedicated communication channel between the client and the server. This allows SMB requests (commands) from clients to be processed in parallel and allows new clients to establish new connections.
ksmbd raised red flags among some users who discussed their merger last year. SerNet, a German computer company that offers its own version of Samba, said in a blog post that ksmbd was awesome, but seemed a bit immature. Additionally, SerNet's Samba+ team stated in a blog post that the value of adding an SMB server to kernel space may not be worth the risk of "squeezing the last bit of performance out of the available stuff."
Fortunately, if you're not running Samsung's "experimental" ksmbd module, as described by security researcher Shir Tamari on Twitter, and have kept Samba, you're perfectly safe. “ksmbd is new; most users still use Samba and are not affected. Basically, if you're not running SMB servers with ksmbd, enjoy your weekend," Tamari tweeted.
According to the Zero-Day Initiative, which revealed the ksmbd vulnerability, the use-after-free flaw exists in the processing of the SMB2_TREE_DISCONNECT commands. According to ZDI, the problem is caused by ksmbd not validating the existence of objects before performing operations on them.
For those using ksmbd, there is a workaround besides switching to Samba: upgrade to Linux kernel version 5.15.61, released in August, or later. This kernel update also fixes a few other issues in ksmbd: an out-of-bounds read for SMB2_TREE_CONNECT, which according to the patch note could allow invalid requests to not send messages, and a memory leak in smb2_handle_negotiate causing an incorrect free. of the memory.
finally if you are interested in knowing more about it, you can check the details In the following link.