Cybersecurity Threat Advisory: Linux Kernel Vulnerability

What is the threat?

The Linux kernel is the main component of a Linux operating system, responsible for the communication between the computer hardware and its processes. Unlike the more popular Server Message Block (SMB) Server, SAMBA, ksmbd operates in the kernel. This vulnerability could result in an attacker executing code or disclosing sensitive information on affected Linux kernel versions. According to ZDI, the specific bug relates to the handling of SMB2_WRITE commands.

Why is it noteworthy?

There have been a few devastating attacks that took advantage of security flaws in SMB. Attackers jump on the chance to exploit an SMB vulnerability. Its prevalent use in Windows or Linux file and printer sharing and remote access make it a desirable target for malware or ransomware that spreads itself. For example, in 2017, WannaCry utilized an SMB vulnerability to infect an estimated 300,000 machines. Other notable attacks include NotPetya, Emotet, and TrickBot.

What is the exposure or risk?

While it may not be as popular as the Linux SAMBA server, ksmbd is still in used by organizations. Developed by Samsung, it is designed to deliver fast SMB3 file-serving performance. Any Linux distributions running the ksmbd server and uses the kernel 5.15 is potentially vulnerable. This includes multiple versions of Ubuntu and Deepin.

What are the recommendations?

Barracuda MSP recommends the following actions to ensure your protection:

Upgrade any affected Linux kernel versions immediately.
- If running ksmbd server, you can check the kernel version by running the following command:
  - $ uname -r
- If Linux kernel is 5.15 or above, upgrade to 5.15.61 immediately.
Review the update from Linux for an example of what the bug can look like.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.

Categories

Tags

Archives