WARNING: CRITICAL RCE IN KSMBD SERVER AFFECTING THE LINUX KERNEL, PATCH IMMEDIATELY!
CVE-2024-26592: CVSS 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-26594: CVSS 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L)
Sources
Advisory CVE-2024-26594 - https://www.zerodayinitiative.com/advisories/ZDI-24-194/
Advisory CVE-2024-26592 - https://www.zerodayinitiative.com/advisories/ZDI-24-195/
Patch CVE-2024-26592 - https://github.com/torvalds/linux/commit/38d20c62903d669693a1869aa68c4dd...
Patch CVE-2024-26594 - https://github.com/torvalds/linux/commit/92e470163d96df8db6c4fa0f484e4a2...
Risks
CVE-2024-26592 and CVE-2024-26594 are vulnerabilities affecting Linux KSMBD file server.
A remote unauthenticated attacker could exploit CVE-2024-26594 to disclose sensitive information. This vulnerability can then be chained together with CVE-2024-26592 to leverage execution of arbitrary code in the context of the kernel. CVE-2024-26592 can also be exploited separately by a remote unauthenticated attacker.
Successful exploitation of these vulnerabilities might severely affect the availability, confidentiality and integrity of the targeted system. It is important to mention that only Linux systems that have ksmbd enabled are exposed to these vulnerabilities. A complete takeover of a file server appliance could have a critical impact on the rest of the devices connected to your network.
Description
CVE-2024-26592 is a flaw in the handling of TCP connections and disconnections. The issue results from the lack of proper locking when performing operations on an object. To exploit this vulnerability an attacker must aim for the race condition between the handling of a new TCP connection and its disconnection. Successful exploitation leads to arbitrary code being executed in the context of the kernel.
CVE-2024-26594 is an information disclosure vulnerability. This is due to a flaw in the handling of SMB2 Mech tokens. During the handling there is a lack of proper validation of user supplied data. Inputting more data than allocated could lead to a buffer overflow disclosing information past the allocated memory.
These vulnerabilities can be chained together to achieve complete control over the system.
Recommended Actions
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Patch
Patches can be found on the official Linux distribution Github repository (https://github.com/torvalds/linux/releases).
Mitigate
- Disable the ksmbd service running on your system if it is not required.
- Move sensitive file server systems behind a VPN solution. It is often not required for a fileserver to be exposed to the internet.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
SecurityOnline - https://securityonline.info/cve-2024-26592-26594-critical-linux-kernel-f...
National Vulnerability Database (NVD) - https://nvd.nist.gov/vuln/detail/CVE-2024-26592 & https://nvd.nist.gov/vuln/detail/CVE-2024-26594