Linux has issued an update to address a kernel-level security vulnerability that affected server message block (SMB) servers.
The remote code execution (RCE) flaw allowed unauthenticated users to execute kernel-level code and received the maximum possible severity rating on the common vulnerability reporting system (CVSS).
RELATED RESOURCE
Most businesses and enterprise users are believed to be safe from any potential exploitation given that the vulnerability only affected the lesser-used KSMBD module rather than the more popular Samba suite.
Specifically, the vulnerability lies in the processing of SMB2_TREE_DISCONNECT commands - packet requests sent by the client to request access to a given share on a server.
“The issue results from the lack of validating the existence of an object prior to performing operations on the object,” read the public advisory posted by the Zero Day Initiative (ZDI). “An attacker can leverage this vulnerability to execute code in the context of the kernel.”
The type of vulnerability is classified as a ‘use-after-free’ flaw and these are somewhat common in software, albeit severe, since they often allow for code execution and replacement.
Use-after-free vulnerabilities relate to issues in the allocation of dynamic memory in applications.
Dynamic memory involves continuous reallocation of blocks of data within a program and when headers don't properly check which sections of dynamic memory are available for allocation, it can allow an attacker to place their own code where data has been cleared.
Security researcher Shir Tamari likened the ramifications of a potential exploit - the leaking of a server’s memory - to that of Heartbleed, the 2014 vulnerability that allowed users to view data on any website using OpenSSL.
“KSMBD is new; most users still use Samba and are not affected,” he added. “Basically, if you are not running SMB servers with KSMBD, enjoy your weekend.”
According to the ZDI, the issue was discovered by a quartet of researchers working at the Thalium Team, a division of Thales focused on threat intelligence, vulnerability research, and red team development.
The researchers alerted the Linux Foundation to the flaw on 26 July 2022 and the coordinated public disclosure was released on Thursday.
Before the Holiday break, IT teams should audit their environments to ensure any potential exposures are updated to the latest Linux version. More details can be found in the official changelog.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
