This week a news shook the world of cybersecurity, a new critical vulnerability in the Linux kernel, more specifically in the kernel module "KSMBD", which implements the SMB3 protocol at the kernel level.
Exploitation of this vulnerability could allow arbitrary code to be executed by an unauthenticated user, which is why the vulnerability, when identified on 12/22/2022 as "zero day", received a 10 on the CVSS scoring scale, the highest level criticality (ZDI-22-1690). This new vulnerability has already received 6 CVEs on Miter, they are: CVE-2022-47938, CVE-2022-47939, CVE-2022-47940, CVE-2022-47941, CVE-2022-47942 and CVE-2022-47943.
Confusing, incomplete, and inaccurate information
Despite all the criticality of the subject, we found a lot of confusing, fragmented, incomplete and even with errors information in forums, articles and publications on social networks, leading many people either to unnecessary despair or a false sense of security.
This divergent information even led to the creation and dissemination of scripts that promise to analyze whether the kernel is vulnerable. even worse, false negatives, further compounding the confusion on the subject.
Another point noticed was the understanding that the simple fact of updating the kernel to a version above 5.15.x would solve the problem. However, the vulnerability is present in many releases of higher versions as well, which has generated more confusion and false negatives in the analysis of the environment.
How to test your kernel
Vulnerable kernel versions are 5.15.x (less than 5.15.61), 5.16.x , 5.17.x, 5.18.x, 5.19.x (less than 5.19.2).
To analyze if your kernel is potentially vulnerable, the first step is to see if the version is among those that contain the vulnerability. For this you can use the command: "uname -r".
In case your kernel is in any of the vulnerable versions, the next step is to check if the KSMBD module exists. For this you can use the command: "modinfo ksmbd".
If it returns like the one below, then the module exists.
If the module exists, then, check if it is loaded in the kernel, after all, if the vulnerable module is not loaded, that code with problem will not be executed. For that, you can use the command: "lsmod | grep ksmbd".
What to do if my Kernel is vulnerable?
A good portion of people won't make it past this point, but if you're in the minority that received feedback like the one below, then sound the alarm!
At this point you have 2 viable options:
1) Update the kernel to a version containing the fix for this vulnerability;
2) Remove the kernel module and, with that, stop any and all services that use it, more specifically the sharing of files (share) via SMB. For that, you can use the command: "modprobe -r ksmbd" using "sudo" or an account with root privileges.
Automating vulnerability testing
To facilitate the analysis of the vulnerability in your kernel, we provide a script that can be used to test the vulnerability of the kernel to the KSMBD module.
You can access the script through github https://github.com/andrebarretosantos/security/blob/main/check_ksmbd_kernel_vulnerability.sh
You can also download the script from the button below:
In your Linux command line you can run the following sequence of commands:
$ wget https://raw.githubusercontent.com/andrebarretosantos/security/main/check_ksmbd_kernel_vulnerability.sh
$ chmod 700 check_ksmbd_kernel_vulnerability.sh
$ ./check_ksmbd_kernel_vulnerability.sh
Final recommendations
Regardless of whether your Kernel is now vulnerable or not, it is recommended to keep it updated with security patches, as well as the rest of your GNU/Linux operating system, after all, it is an operating system that is on the rise in companies around the world and, being increasingly used, consequently, it will also be increasingly targeted by cyber criminals.
Comments