Linux fixes maximum-severity kernel vulnerability

Malware represented by red and blue digital binary code
(Image credit: Shutterstock)

Linux has issued an update to address a kernel-level security vulnerability that affected server message block (SMB) servers.

The remote code execution (RCE) flaw allowed unauthenticated users to execute kernel-level code and received the maximum possible severity rating on the common vulnerability reporting system (CVSS).


Six myths of SIEM

Things have changed when it comes to SIEM solutions


Most businesses and enterprise users are believed to be safe from any potential exploitation given that the vulnerability only affected the lesser-used KSMBD module rather than the more popular Samba suite.

Specifically, the vulnerability lies in the processing of SMB2_TREE_DISCONNECT commands - packet requests sent by the client to request access to a given share on a server.

“The issue results from the lack of validating the existence of an object prior to performing operations on the object,” read the public advisory posted by the Zero Day Initiative (ZDI). “An attacker can leverage this vulnerability to execute code in the context of the kernel.”

The type of vulnerability is classified as a ‘use-after-free’ flaw and these are somewhat common in software, albeit severe, since they often allow for code execution and replacement.

Use-after-free vulnerabilities relate to issues in the allocation of dynamic memory in applications.

Dynamic memory involves continuous reallocation of blocks of data within a program and when headers don't properly check which sections of dynamic memory are available for allocation, it can allow an attacker to place their own code where data has been cleared.

Security researcher Shir Tamari likened the ramifications of a potential exploit - the leaking of a server’s memory - to that of Heartbleed, the 2014 vulnerability that allowed users to view data on any website using OpenSSL.

“KSMBD is new; most users still use Samba and are not affected,” he added. “Basically, if you are not running SMB servers with KSMBD, enjoy your weekend.”

According to the ZDI, the issue was discovered by a quartet of researchers working at the Thalium Team, a division of Thales focused on threat intelligence, vulnerability research, and red team development.

The researchers alerted the Linux Foundation to the flaw on 26 July 2022 and the coordinated public disclosure was released on Thursday.

Before the Holiday break, IT teams should audit their environments to ensure any potential exposures are updated to the latest Linux version. More details can be found in the official changelog.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.