CVE-2022-47939 critical vulnerability in Linux kernel `ksmbd` module: everything you need to know

Critical RCE vulnerability found in Linux kernel's `ksmbd` module: remote attackers can execute code without authentication. The module is not enabled by default on most operating systems.

2 minutes read

A critical remote code execution vulnerability (CVE-2022-47939) has been identified in the ksmbd module of the Linux kernel. This means that remote attackers could potentially execute arbitrary code on affected systems running the Linux kernel without requiring authentication. However, it's important to note this vulnerability is only exploitable on systems with the ksmbd in-kernel module enabled. The vulnerability was first published as ZDI-22-1690 on December 22, 2022, by Zero Day Initiative and given a score of CVSS 10.0, before it was assigned a CVE. 

The ksmbd module was only recently introduced in Linux 5.15, so it is not yet widely used. As a result, exploitable systems are not common. 

What is CVE-2022-47939? 

The vulnerability lies in the ksmbd module, an in-kernel SMB file server that was introduced in Linux 5.15 release on August 29, 2021.  

A bug was discovered in the way SMB2_TREE_DISCONNECT commands are processed: the system does not verify whether an object exists before attempting to perform operations on it, allowing an attacker to potentially execute code with kernel-level privileges. 

If you are using an SMB server with Samba, you are not affected by this vulnerability.  

Wiz Research data: how many organizations are vulnerable?     

 The vulnerable ksmbd module is not enabled by default on most operating systems, so the likelihood of this vulnerability being exploited on most systems is relatively low. We can confirm according to Wiz data that systems utilizing this module are rare.   

Which products are affected? 

The vulnerability affects machines running Linux versions newer than 5.15 with ksmbd enabled.  

DistributionPackage name StatusVendor severity
Ubuntulinux

Impacted, fixed:  Jammy 5.15.0-53.59  Kinetic 5.19.0-16.16

Medium
UbuntuOtherNot impacted / In triage-
Debianlinux (pst)

Impacted, fixed:  Buster 4.19.249-2  Buster (security) 4.19.269-1  Bullseye 5.10.158-2  Bullseye (security) 5.10.149-2  Bookworm, sid 6.0.12-1

None assigned
Red HatAllNot impacted-

** Additional Ubuntu releases are vulnerable, please refer to the vendors advisory for the latest updates.

Which actions should security teams take? 

A patch was released in Linux version 5.15.61 that addresses this issue. To protect against exploitation of this vulnerability, it is advised to update to this version or a later one in order to fully mitigate the risk. Keeping your system up to date with the latest security patches is always a good practice to ensure the safety and security of your system. 

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment. 

References 

Zero-day initiative advisory

Ubuntu advisory

Debian advisory

Red Hat advisory

Tags:
#Security

Secure everything you build and run in the cloud

Organizations of all sizes and industries use Wiz to rapidly identify and remove the most critical risks in AWS, Azure, GCP, OCI, and Kubernetes so they can build faster and more securely.

Continue reading

OWASSRF, a new exploit for Exchange vulnerabilities, exploited in the wild: everything you need to know

A new exploit method targeting CVE-2022-41080 and CVE-2022-41082 vulnerabilities in Exchange servers, which can bypass previous workarounds, has been discovered and exploited in the wild. Organizations should patch urgently.

Automatically discover and secure your APIs with Wiz Dynamic Scanner

Wiz enhances its Dynamic Scanner to detect publicly exposed, unauthenticated APIs

Wiz introduces Dangling Domain Detection to help you prevent subdomain takeovers

Easily detect dangling domains to reduce the risk of phishing campaigns and cookie harvesting of organization’s customers.