threat-analysis
Linux Kernel ksmbd Use-After-Free Vulnerability
January 2, 2023
Summary: On 22 December 2022, a potential Remote Code Execution (RCE) vulnerability in Linux Kernel versions 5.15 – 5.18.x / 5.19.x which affects Linux Kernel products with ksmbd enabled. According to Zero Day Initiative, the vulnerability could allow remote attackers to execute arbitrary code on affected installations and authentication is not required to exploit this vulnerability. There is no indication of active exploitation, or threat actors currently targeting this vulnerability.
Zero-day initiative assigned this vulnerability a CVSS score of 10.0, though The National Vulnerability Database (NVD) still has all related CVEs regarding this vulnerability listed as “under analysis” and has not assigned an official CVSS score.
Learn more about DeepSeas MDR+ (Managed Detection and Response) and Cyber Defense as a Service.
Analysis: KSMBD is a Linux kernel server which implements SMB3 protocol in kernel space for sharing files over a network. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the kernel. Due to the release occurring close to the holiday season, it is likely there will be a delay in mitigations or patching, and there is heightened potential of threat actors attempting to target these vulnerabilities during a time when many organizations have limited staff over the holidays.
There were several issues submitted to MITRE regarding the Linux Kernel vulnerabilities and MITRE has assigned the following CVEs all pending analysis:
| CVE | Description | Status | CVSS Score |
| CVE-2022-47941
|
An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs/ksmbd/smb2pdu.c omits a kfree call in certain smb2_handle_negotiate error conditions, aka a memory leak | Awaiting Analysis | N/A |
| CVE-2022-47942
|
An issue was discovered in ksmbd in the Linux kernel before 5.19.2. There is a heap-based buffer overflow in set_ntacl_dacl, related to use of SMB2_QUERY_INFO_HE after a malformed SMB2_SET_INFO_HE command. | Awaiting Analysis | N/A |
| CVE-2022-47938
|
An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2_TREE_CONNECT. | Awaiting Analysis | N/A |
| CVE-2022-47939
|
An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT. | Awaiting Analysis | N/A |
| CVE-2022-47940
|
An issue was discovered in ksmbd in the Linux kernel before 5.18.18. fs/ksmbd/smb2pdu.c lacks length validation in the non-padding case in smb2_write | Awaiting Analysis | N/A |
Actions: Linux has issued an update to correct the vulnerabilities located here.
DeepSeas Cyber Threat Intel Unit will continue to monitor these events, looking for any bad actors that could exploit those vulnerabilities and provide relevant updates. Currently, DeepSeas recommends applying vendor patches immediately.
DeepSeas Cyber Threat Intel Unit will also keep track of any exploitation tool or PoC (Proof of Concept) that could leverage the usage of those vulnerabilities to exploit systems actively. Additionally, information about new IoCs and IoAs will be included proactively as part of the monitoring mechanism included on Threat Watch on their multiple service tiers.
Please get in touch with your DeepSeas Customer Success Manager if you have any questions about this alert.
Learn more about DeepSeas MDR+ (Managed Detection and Response) and Cyber Defense as a Service.