CVE-2022-47939: Critical RCE Vulnerability in Linux Kernel

CVE-2022-47939: Critical RCE Vulnerability in Linux Kernel

A critical remote code execution vulnerability in the Linux kernel has been publicly disclosed by Trend Micro’s Zero Day Initiative in its ZDI-22-1690 advisory. The vulnerability has been given a CVSSv3 of 10.0. There are no reports of active exploitation.

Background

On December 22, Trend Micro’s Zero Day Initiative (ZDI) released an advisory detailing a critical remote code execution (RCE) vulnerability in the Linux kernel. The affected component, ksmbd, is a Server Message Block (SMB) file server module released in August 2021 in kernel version 5.15. Initially, the vulnerability details were released without a CVE identifier, however MITRE eventually assigned it CVE-2022-47939 on December 23.

ZDI disclosed the vulnerability to the Linux team in July 2022, and was patched on August 17 in the 5.15.61 release.

Analysis

CVE-2022-47939 is a use-after-free vulnerability in the ksmbd SMB file server module of the Linux kernel. According to the advisory, this vulnerability would allow an unauthenticated, remote attacker to execute arbitrary code on impacted systems that have ksmbd enabled. The vulnerability has been given the highest possible CVSSv3 score of 10.0 and is considered critical severity.

The vulnerability exists in the SMB2_TREE_DISCONNECT function of the module, which fails to verify an object’s existence before it attempts performing operations on the object. However, because ksmbd is not widely adopted and is not enabled by default in most Linux operating systems, it is unlikely that active exploitation will be seen in the future.

Proof of concept

At the time this blog was published, no proof-of-concept code had been released for CVE-2022-47939.

Vendor response

The maintainers released patches in August 2022. Because the ksmbd module was recently introduced in kernel version 5.15 and is not enabled by default in most Linux operating system (OS) variants, most Linux users are likely unaffected. Below is a table of OS distributions that have so far commented on impact:

Distribution
Status
Red Hat Enterprise Linux (RHEL) 6-9
Not Affected
Debian buster
Not Affected
Debian bullseye
Not Affected
Debian Unstable
Affected, fixed in 5.19.6-1
Gentoo
Not Affected
Ubuntu bionic
Not Affected
Ubuntu focal
Not Affected
Ubuntu jammy
Affected (5.15.0-53.59), pending release
Ubuntu kinetic
Not Affected
Ubuntu trusty
Not Affected
Ubuntu upstream
Fixed in 6.0~rc1
Ubuntu xenial
Not Affected

Solution

As Linux distributions can vary significantly in their implementation of components, customers are advised to consult the vendor relevant to their distribution. Red Hat, Ubuntu and Debian have issued advisories.

Identifying affected systems

A list of Tenable plugins to identify thisvulnerability can be found here and will be updated as additional coverage is released. This link uses a search filter to ensure that all matching Tenable coverage will appear as it becomes available. In addition, a detection plugin (plugin ID 169382) has been released to identify hosts that have the ksmbd module enabled.

Get more information

ZDI advisory

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about https://www.tenable.com/products/tenable-one“>Tenable One, the Exposure Management Platform for the modern attack surface.

   Cyber Exposure Alerts 

​  

More To Explore

We can help improve your Business

Ensure your Organization Assets are well  protected in front of the Cyber Attacks

Delivery Workflow

Register for Free and get your test done withn 24 to 48 hours

See Workflow

Sample Report

Here is a sample report of a Security Testing Engagement

See Sample Report PDF

Work Request

Order your security test and Get Your Report

Get Your Test Report
Generated by Feedzy

1. Client Onboarding

Access to all of Cyber Legion's services is provided through the Web Secure Client Portal. To create a Free account, you can sign up through the portal, or contact the Cyber Legion team and they will set up an account for you.

2. NDA , Agreements & Digital Signature

The integration of Digital Signature in our Web Client Portal allows us to legally sign all necessary documents and agreements, enabling us to carry out security assessments on targeted systems.

3. Submit Work Request

Our pricing structure is adaptable to meet the needs of all clients. By filling out the Work Request Form, you can select from pre-existing services or request a personalized proposal.

The Cyber Legion team will acknowledge your order, set up a project in your account, and proceed with the testing and delivery.

4. Security Testing & Report

We meet agreed upon SLAs and follow security testing framework checklists. Based on our commitment, our team of engineers will utilize all of our tools, automation, and testing capabilities to achieve the objectives.

Within the agreed upon timeframe, you will receive a report on the security test that was conducted, including the results, recommendations, and references for addressing any identified issues.

5. Retesting & Validation of Remediation

We not only identify potential threats, risks, and vulnerabilities, but also provide detailed recommendations for resolution. To ensure complete remediation, we offer complimentary retesting and a range of ongoing security testing options for continued vulnerability detection and verification.