A critical remote code execution vulnerability (CVE-2022-47939) has been identified in the ksmbd module of the Linux kernel. This means that remote attackers could potentially execute arbitrary code on affected systems running the Linux kernel without requiring authentication. However, it's important to note this vulnerability is only exploitable on systems with the ksmbd in-kernel module enabled. The vulnerability was first published as ZDI-22-1690 on December 22, 2022, by Zero Day Initiative and given a score of CVSS 10.0, before it was assigned a CVE.
The ksmbd module was only recently introduced in Linux 5.15, so it is not yet widely used. As a result, exploitable systems are not common.
What is CVE-2022-47939?
The vulnerability lies in the ksmbd module, an in-kernel SMB file server that was introduced in Linux 5.15 release on August 29, 2021.
A bug was discovered in the way SMB2_TREE_DISCONNECT commands are processed: the system does not verify whether an object exists before attempting to perform operations on it, allowing an attacker to potentially execute code with kernel-level privileges.
If you are using an SMB server with Samba, you are not affected by this vulnerability.
Wiz Research data: how many organizations are vulnerable?
The vulnerable ksmbd module is not enabled by default on most operating systems, so the likelihood of this vulnerability being exploited on most systems is relatively low. We can confirm according to Wiz data that systems utilizing this module are rare.
Which products are affected?
The vulnerability affects machines running Linux versions newer than 5.15 with ksmbd enabled.
** Additional Ubuntu releases are vulnerable, please refer to the vendors advisory for the latest updates.
Which actions should security teams take?
A patch was released in Linux version 5.15.61 that addresses this issue. To protect against exploitation of this vulnerability, it is advised to update to this version or a later one in order to fully mitigate the risk. Keeping your system up to date with the latest security patches is always a good practice to ensure the safety and security of your system.
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.
A new exploit method targeting CVE-2022-41080 and CVE-2022-41082 vulnerabilities in Exchange servers, which can bypass previous workarounds, has been discovered and exploited in the wild. Organizations should patch urgently.