Merry Christmas, Linux systems administrators: Here’s a kernel vulnerability with a CVSS score of 10 in your SMB server for the holiday season giving an unauthenticated user remote code execution.
Yes, this sounds bad, and a score of 10 isn’t reassuring at all. Luckily for the sysadmins reaching for more brandy to pour in that eggnog, it doesn’t appear to be that widespread.
Discovered the Thalium Team vulnerability research team at French aerospace firm Thales Group in July, the vulnerability is specific to the ksmbd module that was added to the Linux kernel in version 5.15. Disclosure was responsibly held until a patch was issued.
Unlike that other popular SMB server for Linux, which runs in userspace, ksmbd operates in the kernel. That triggered alarm bells among some users discussing its merge last year.
SerNet, a German IT firm that offers its own version of Samba, said in a blog post that ksmbd was impressive, but said it appeared somewhat immature. Furthermore, the Samba+ team from SerNet said in a blog post, the value of adding an SMB server to kernel space might not be worth the risk to “squeeze the last bit of performance out of the available hardware.”
Developed by Samsung to implement server-side SMB3 with optimized performance and a smaller footprint, the ksmbd vulnerability could lead to an attacker leaking an SMB server’s memory, similar to the Heartbleed attack.
Fortunately, if you aren’t running Samsung’s “‘experimental’ ksmbd module,” as security researcher Shir Tamari described it on Twitter, and have stuck with Samba you’re perfectly safe.
“ksmbd is new; most users still use Samba and are not affected. Basically, if you are not running SMB servers with ksmbd, enjoy your weekend,” Tamari said on Twitter.
According to the Zero-Day Initiative, which disclosed the ksmbd vulnerability, the use-after-free flaw exists in the processing of SMB2_TREE_DISCONNECT commands. According to ZDI, the issue is due to ksmbd not validating the existence of objects prior to performing operations on them.
For those using ksmbd, there is a solution other than switching to Samba: Updating to Linux kernel version 5.15.61, released in August, or a newer version.
That Kernel update also fixed a couple other issues in ksmbd, too: an out-of-bounds read for SMB2_TREE_CONNECT, which the patch note said could allow invalid requests not to validate messages, and a memory leak in smb2_handle_negotiate leading to memory not being properly freed.
Dodge “grift cards” by spending that holiday cash now
Lots of ready-made kit for would-be hackers can be found on the dark web; one trend recently noticed by the team at Cybersixgill has been gift card generators not only guess card numbers, but also check their validity by the thousands.
Like brute force password crackers, the tools being sold online randomly guess the digits of gift cards issued by companies like Amazon, Microsoft, Sony, Apple and others, with varying degrees of speed and accuracy based on how predictable a card’s number sequence is.
Those generators are often paired with “checkers” that will run the generated gift card numbers against an issuer’s website to look for balance or activation status, which is then returned to the criminal behind the keyboard.
Adi Bleih and Dov Lerner from Cybersixgill told The Register that using software of the kind being sold on the dark web to generate, guess and verify gift card …….