CVE-2022-47939: Linux Kernel ksmbd Use-After-Free Remote Code Execution Vulnerability

Update: 12/29 - Additional information and product coverage has been added to this post, including a link to a recently published Tenable blog post.

Update: 12/28 - Additional plugin coverage has been released. More below.

On December 22, Trend Micro’s Zero Day Initiative published ZDI-22-1690 to publicly announce a use-after-free remote code execution vulnerability impacting the Linux Kernel. While the patch for this vulnerability was released in August, this is the first significant public release of technical details.

According to the advisory, this vulnerability would allow an unauthenticated, remote attacker to execute arbitrary code on impacted systems that have ksmbd enabled. Ksmbd is a Linux kernel server that implements the Server Message Block (SMB) protocol which is used for sharing files over a network. Ksmbd is an alternative to Samba, so in the case of ksmbd, the SMB server is part of the kernel. This vulnerability stems from a lack of validation when processing SMB2_TREE_DISCONNECT commands. 

This vulnerability was scored the highest possible CVSSv3 score at 10.0 and was patched in kernel version 5.15.61 on August 17. CVE-2022-47939 has been assigned to this vulnerability as of December 23.

Tenable is evaluating coverage and will be developing product coverage for this vulnerability for Linux distributions that have provided patches for the Kernel. A list of Tenable plugins to identify this vulnerability can be found here and will be updated as additional coverage is released. This link uses a search filter to ensure that all matching Tenable coverage will appear as it becomes available. In addition, a detection plugin (plugin ID 169382) has been released to identify to identify hosts where the ksmbd service is installed and potentially running. However, the ksmbd service does not provide a version number of the kernel from which it was distributed and, therefore, the detection plugin should not be used as the sole test for whether a service is vulnerable. Tenable Research recommends relying on our plugins based on the specific Linux vendor advisories (linked above with the dynamic link filter) for the various Linux distributions to cover this CVE.

For more information about the vulnerability, including Tenable product coverage, please visit our blog.