CVE-2022-47939 critical vulnerability in Linux kernel `ksmbd` module: everything you need to know

Critical RCE vulnerability found in Linux kernel's `ksmbd` module: remote attackers can execute code without authentication. The module is not enabled by default on most operating systems.

2 minutes read

A critical remote code execution vulnerability (CVE-2022-47939) has been identified in the ksmbd module of the Linux kernel. This means that remote attackers could potentially execute arbitrary code on affected systems running the Linux kernel without requiring authentication. However, it's important to note this vulnerability is only exploitable on systems with the ksmbd in-kernel module enabled. The vulnerability was first published as ZDI-22-1690 on December 22, 2022, by Zero Day Initiative and given a score of CVSS 10.0, before it was assigned a CVE. 

The ksmbd module was only recently introduced in Linux 5.15, so it is not yet widely used. As a result, exploitable systems are not common. 

What is CVE-2022-47939? 

The vulnerability lies in the ksmbd module, an in-kernel SMB file server that was introduced in Linux 5.15 release on August 29, 2021.  

A bug was discovered in the way SMB2_TREE_DISCONNECT commands are processed: the system does not verify whether an object exists before attempting to perform operations on it, allowing an attacker to potentially execute code with kernel-level privileges. 

If you are using an SMB server with Samba, you are not affected by this vulnerability.  

Wiz Research data: how many organizations are vulnerable?     

 The vulnerable ksmbd module is not enabled by default on most operating systems, so the likelihood of this vulnerability being exploited on most systems is relatively low. We can confirm according to Wiz data that systems utilizing this module are rare.   

Which products are affected? 

The vulnerability affects machines running Linux versions newer than 5.15 with ksmbd enabled.  

DistributionPackage name StatusVendor severity
Ubuntulinux

Impacted, fixed:  Jammy 5.15.0-53.59  Kinetic 5.19.0-16.16

Medium
UbuntuOtherNot impacted / In triage-
Debianlinux (pst)

Impacted, fixed:  Buster 4.19.249-2  Buster (security) 4.19.269-1  Bullseye 5.10.158-2  Bullseye (security) 5.10.149-2  Bookworm, sid 6.0.12-1

None assigned
Red HatAllNot impacted-

** Additional Ubuntu releases are vulnerable, please refer to the vendors advisory for the latest updates.

Which actions should security teams take? 

A patch was released in Linux version 5.15.61 that addresses this issue. To protect against exploitation of this vulnerability, it is advised to update to this version or a later one in order to fully mitigate the risk. Keeping your system up to date with the latest security patches is always a good practice to ensure the safety and security of your system. 

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment. 

References 

Zero-day initiative advisory

Ubuntu advisory

Debian advisory

Red Hat advisory

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management