New Linux kernel SMB security flaw revealed

Potentially nasty, the new ksmbd's limited use in the field makes it a minor threat.



Before Christmas 2022, there was a truly nasty security hole in the Linux 5.15 in-kernel Server Message Block (SMB) server, ksmbd. It could be used to execute code in the kernel context. In short: Bad. But, the newest ksmbd security problem, discovered by the Sysdig Threat Team, is relatively minor.

Ksmbd, introduced to the kernel in 2021, was developed by Samsung. Its goal was to deliver speedy SMB3 file-serving performance. SMB is used in Windows and Linux--via Samba--as an important file server protocol. Most distributions do not have Ksmbd compiled into the kernel or enabled by default.

But, if you have it in your kernel and enabled, pay attention. CVE-2023-0210 is a hole in the program's New Technology LAN Manager (NTLM) authentication. A knowledgeable attacker, with remote access to the server and a valid user name, could abuse it to overflow the allocated heap buffer.

This overflow, according to Sysdig, is too large to be used for remote code exploitation. That's the good news. The bad news is it can still cause a kernel panic, which would cause a denial of service.

Who wants a crashed server? I don't.

Still, Red Hat gives CVE-2023-0210 a Common Vulnerability Scoring System (CVSS) rating of 5.9, which is important, but far from critical. No Red Hat Enterprise Linux (RHEL) version, by the by, has this bug.

It gets such a comparatively low rating because to exploit, you must have KSMBD enabled. Since it's deployed in a module, you must enable and configure Ksmbd yourself. That's not a trivial job. Besides, only a security idiot exposes SMB port, 455, to the Internet, since, with its access to file systems, it's just asking to be attacked.

If you are using it, upgrade to the newly released Linux Kernel 6.2 RC4 or higher.

It's important to note that this problem has nothing to do with Samba, which is commonly used on Linux desktops and file servers. As Jeremy Allison, Samba's co-creator, told me about the earlier, more serious, hole, "ksmbd shares no code with production Samba. It's completely from scratch. So, this current situation has nothing to do with the Samba file server you may be running on your systems." The same is true of this vulnerability.

Personally, I'd steer clear of ksmbd for now. It may be faster than Samba, but two security problems in a row are two too many. And, besides, Samba's been battle-tested for over 30 years. I know which one I'm trusting on my production servers.

Other noteworthy Linux and open-source stories: