New Linux Kernel Bug is a Patch Now or Disable Scenario

If you run Linux Kernel 5.15 or later you are potential at risk (10 out of 10) vulnerability in the ksmbd kernel module added in some versions of linux kernels or later. Perform an assessment asap and patch your kernel or remove the module if you're impacted.

New Linux Kernel Bug is a Patch Now or Disable Scenario
Linux Kernel 5.15 has a potentially 9.6 level vulnerability (out of 10) in the kernal. Search for impact and patch asap.

Vulnerability Details

Just in time for Christmas, we have a 9.6 vulnerability (out of 10) in some Linux Kernels (5.15 and later) which can be exploited for Remote Code Execution (RCE) without authentication on network enabled ports but only on systems where the ksmbd kernel module is enabled are vulnerable.

The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the kernel.

ADDITIONAL DETAILS

Linux has issued an update to correct this vulnerability. More details can be found at:
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.61

Disclosure Timeline

2022-07-26 – Vulnerability reported to vendor
2022-12-22 – Coordinated public release of advisory

CyberHoot Recommendation:

This is a Critical Vulnerability according to our Vulnerability Alert Management Process (VAMP).  That’s the bad news.  The Good news is that the ksmbd kernel module might not be in use in your distros.  Any distro using the Linux kernel 5.15 or above is potentially vulnerable. This includes Ubuntu 22.04, and its descendants; Deepin Linux 20.3; and Slackware 15. For server purposes, Ubuntu is the most concerning. Other enterprise distros, such as the Red Hat Enterprise Linux (RHEL) family, do not use the 5.15 kernel. 

Here’s how you check:
$ uname -r

To see which kernel version you’re running.

If you’re running a susceptible kernel, check to see if the vulnerable module is present and actively running:

$ modinfo ksmb

What you want to see is that the module wasn’t found. If it’s loaded, you’ll want to upgrade to the Linux 5.15.61 kernel.

Many distros, unfortunately, have not moved to this kernel release yet.  If that’s the case, you’ll need to disable this kernel module until a fix is released.