Full Report
Critical RCE vulnerability found in Linux kernel's `ksmbd` module: remote attackers can execute code without authentication. The module is not enabled by default on most operating systems.
Analysis Summary
# Vulnerability: Critical RCE in Linux Kernel ksmbd Module via Improper SMB2_TREE_DISCONNECT Handling
## CVE Details
- CVE ID: CVE-2022-47939
- CVSS Score: 10.0 (Critical)
- CWE: 772 (Missing or incomplete logic: Improper Resource State) - *Inferred from description of attempting operations on a non-existent object.*
## Affected Systems
- Products: Linux Kernel (specifically those using the `ksmbd` in-kernel SMB file server module)
- Versions: Linux kernel versions newer than **5.15** (where `ksmbd` was introduced) up to fixed versions. **Note:** The module is not enabled by default in most distributions.
- Configurations: Systems running the Linux kernel with the **`ksmbd` module explicitly enabled**. Systems using Samba are **not** affected.
## Vulnerability Description
This critical vulnerability exists within the in-kernel SMB file server module, `ksmbd`, introduced in Linux kernel version 5.15. The flaw resides in how the module processes `SMB2_TREE_DISCONNECT` commands. Specifically, the system fails to properly verify if an object referenced by the command actually exists before attempting operations on it. This lack of verification allows a remote, unauthenticated attacker to trigger improper resource handling, potentially leading to arbitrary code execution with kernel-level privileges.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but high severity suggests high threat. PoC availability is not explicitly mentioned but implied by the ZDI advisory.
- Complexity: Low (Remote, Unauthenticated)
- Attack Vector: Network
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- Upgrade Linux kernel to version **5.15.61 or later**.
- **Specific Distribution Fixed Versions:**
- **Ubuntu:** Jammy 5.15.0-53.59, Kinetic 5.19.0-16.16 (Refer to Ubuntu advisory for complete list).
- **Debian:** Buster 4.19.249-2 / 4.19.269-1, Bullseye 5.10.158-2 / 5.10.149-2, Bookworm/Sid 6.0.12-1.
### Workarounds
- Disable or remove the `ksmbd` in-kernel module if it is not required. (This is the primary mitigating configuration change, as the module is often not enabled by default.)
## Detection
- Indicators of compromise are not specified in the context.
- **Detection methods and tools:** Security teams utilizing Wiz can leverage the pre-built query within the Wiz Threat Center to search for vulnerable instances utilizing the `ksmbd` kernel module in their environment. Monitoring for unusual `SMB2_TREE_DISCONNECT` commands against systems hosting the `ksmbd` service could be relevant if other mitigations are not yet applied.
## References
- Zero Day Initiative advisory: hxxps://www.zerodayinitiative.com/advisories/ZDI-22-1690/
- Ubuntu advisory: hxxps://ubuntu.com/security/CVE-2022-47939
- Debian advisory: hxxps://security-tracker.debian.org/tracker/CVE-2022-47939
- Red Hat advisory: hxxps://access.redhat.com/security/cve/cve-2022-47939