Security vulnerability Heads up.

[kc1di]

If your using kernel 15.x.xx this may be of interest to you. Especially if using it in a file server setting.

Patch now: Serious Linux kernel security hole uncovered

The Zero Day Initiative originally rated this Linux 5.15 in-kernel SMB server, ksmbd, bug a perfectly awful 10.

www.zdnet.com

 

[Condobloke]

Quote from that article:
"
Any distro using the Linux kernel 5.15 or above is potentially vulnerable. This includes Ubuntu 22.04, and its descendants; Deepin Linux 20.3; and Slackware 15. For server purposes, Ubuntu is the most concerning. Other enterprise distros, such as the Red Hat Enterprise Linux (RHEL) family, do not use the 5.15 kernel. Not sure? Just run:

$ uname -r

To see which kernel version you're running.

Then, if you're running the susceptible kernel, to see if the vulnerable module is present and active run:


$ modinfo ksmb

What you want to see is that the module wasn't found. If it's loaded, you'll want to upgrade to the Linux 5.15.61 kernel. Many distros, unfortunately, have not moved to this kernel release yet.

=====================================================
In my case, I am running 5.15.0-56

I then ran:
modinfo ksmb

and that returned:
[email protected]:~$ modinfo ksmb
modinfo: ERROR: Module ksmb not found.
[email protected]:~$

 

[f33dm3bits]

Red Hat response to Zero Day Initiative ksmbd vulnerabilities - Red Hat Customer Portal

Trend Micro Zero Day Initiative (ZDI) made public several vulnerabilities affecting the ksmbd module in the Linux kernel. Are Red Hat products affected by these issues?

access.redhat.com

 

[Terminal Velocity]

Debian stable currently using 5.10.0-20-amd64, outdated software sometimes is gold

 

[SpongebobFan1994]

I'm currently downloading the 6.1.1 kernel, but because it was recently released, I'm wondering if it's safe enough to use now?

 

[kc1di]

I'm currently downloading the 6.1.1 kernel, but because it was recently released, I'm wondering if it's safe enough to use now?

as long as your not using ksmb it should be fine.

 

[wizardfromoz]

Dave from Maine, I'm moving this to Security.

Thanks for the heads up.

Chris

 

[kc1di]

Thanks Chris.

 

[Deleted member 137406]

Quote from that article:
"
Any distro using the Linux kernel 5.15 or above is potentially vulnerable. This includes Ubuntu 22.04, and its descendants; Deepin Linux 20.3; and Slackware 15. For server purposes, Ubuntu is the most concerning. Other enterprise distros, such as the Red Hat Enterprise Linux (RHEL) family, do not use the 5.15 kernel. Not sure? Just run:

$ uname -r

To see which kernel version you're running.

Then, if you're running the susceptible kernel, to see if the vulnerable module is present and active run:


$ modinfo ksmb

What you want to see is that the module wasn't found. If it's loaded, you'll want to upgrade to the Linux 5.15.61 kernel. Many distros, unfortunately, have not moved to this kernel release yet.

=====================================================
In my case, I am running 5.15.0-56

I then ran:
modinfo ksmb

and that returned:
[email protected]:~$ modinfo ksmb
modinfo: ERROR: Module ksmb not found.
[email protected]:~$

No worries here, Ubuntu takes care of its users.

[email protected]:~$ modinfo ksmb
modinfo: ERROR: Module ksmb not found.
[email protected]:~$

[email protected]:~$ uname -r
5.15.0-56-generic
[email protected]:~$

 

[SpongebobFan1994]

as long as your not using ksmb it should be fine.

I checked for KSMB, and its not showing it on my machine

 

[Stellaris]

No worries here, Ubuntu takes care of its users.

Same on Parabola
UwU

 

[sphen]

This thread caught my interest. I have a running Ubuntu MATE 22.04 desktop, so I replicated @Bartman's results in their "code" example above. My Ubuntu has the vulnerable kernel but not the vulnerable ksmb (ksmbd) kernel module. (The modinfo command is related to kernel modules.)

I installed Samba, which runs as a service. I assume that it is what most Ubuntu users would install for file sharing. Samba does not install the ksmbd kernel module. Next, I searched for ksmb and found this:

https://www.kernel.org/doc/html/latest//filesystems/cifs/ksmbd.html

Now I wonder whether anyone here on Linux.org is likely to be affected. Anyone thinking about ksmb must understand what ksmb is and does, including why they would want to build and install it instead of the commonly used Samba.

Has anyone on Linux.org built and installed ksmb (ksmbd)? Is anyone here actually affected by this bug?

 

[kc1di]

Now I wonder whether anyone here on Linux.org is likely to be affected. Anyone thinking about ksmb must understand what ksmb is and does, including why they would want to build and install it instead of the commonly used Samba.

Has anyone on Linux.org built and installed ksmb (ksmbd)? Is anyone here actually affected by this bug?

I don't know if anyone here is affected or not. But it's better to be forewarned. And it's a fairly simple procedure to check your Distro for it's presence or lack there of.

 

[Deleted member 137406]

Now I wonder whether anyone here on Linux.org is likely to be affected. Anyone thinking about ksmb must understand what ksmb is and does, including why they would want to build and install it instead of the commonly used Samba.

Has anyone on Linux.org built and installed ksmb (ksmbd)? Is anyone here actually affected by this bug?

I don't know if anyone here is affected or not. But it's better to be forewarned. And it's a fairly simple procedure to check your Distro for it's presence or lack there of.

I agree better to have advance notice / warning of an exploit and address it.

Linux is secure but ain't no OS bulletproof when it comes to the bad guys.

 

[sphen]

I don't know if anyone here is affected or not. But it's better to be forewarned. And it's a fairly simple procedure to check your Distro for it's presence or lack there of.

I agree better to have advance notice / warning of an exploit and address it.

Linux is secure but ain't no OS bulletproof when it comes to the bad guys.

All true, but it is important to provide context and applicability, which is what I tried to do, above.

People may try to patch their kernels unnecessarily out of an abundance of caution instead of waiting for it to appear in the usual Software Updater process, which seems to be the best advice for nearly everyone here. If people run into problems after attempting to patch their kernels, then a warning without context can become an effective denial of service attack.

 

[Deleted member 137406]

All true, but it is important to provide context and applicability, which is what I tried to do, above.

People may try to patch their kernels unnecessarily out of an abundance of caution instead of waiting for it to appear in the usual Software Updater process, which seems to be the best advice for nearly everyone here. If people run into problems after attempting to patch their kernels, then a warning without context can become an effective denial of service attack.

Nothing wrong with providing context.

Some users freak out and go into panic mode instead of doing some careful research about the exploit or vulnerability and how it affects them.

When they do that and start making unneeded changes and break their Linux install by doing so that's on them and no one else.

Plenty of warnings and alerts I've read about in Linux over the years that never affected me and never would but I was glad to have the heads up.

First thing I do when I read about such exploits or vulnerabilities is to check out the forum of the Linux distros I'm using.

So far Linux.org is the only forum I've read about this exploit on and I'm using a half dozen different Linux distros.

Don't sweat it man no one's on your case.

 

[kc1di]

As far as I can tell no Ubuntu based OS have been affected unless someone purposefully installs that module.
Some Slackware installs are affected. Not sure about the Arch family of distros. Or Debian itself haven't checked yet.

In any event if one actually reads the announcement they would check if they are vulnerable before trying to build their own kernel. At least I would do that.

 

[dreamgear]

What do you make of this ?

$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.1 LTS Release: 22.04 Codename: jammy $ uname -r 5.15.0-47-generic $ modinfo -d ksmb modinfo: ERROR: Module ksmb not found. $ modinfo -d ksmbd Linux kernel CIFS/SMB SERVER

 

[kc1di]

What do you make of this ?

$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.1 LTS Release: 22.04 Codename: jammy $ uname -r 5.15.0-47-generic $ modinfo -d ksmbt [B]modinfo: ERROR: Module ksmb not found.[/B] $ modinfo -d ksmbd Linux kernel CIFS/SMB SERVER

It says the module was not found so you should be safe.

 

[sphen]

I admit, I am confused by the various commands shown here in this thread and the referenced ZDnet webpage mentioned in the original post. I believe that they are typos, and the trailing "d" is missing.

The command "modinfo ksmb" yields the result:

$ modinfo ksmb
modinfo: ERROR: Module ksmb not found.

I think they have it wrong. I think that the module is called "ksmbd". Note the "d" at the end. This command yields a different result:

$ modinfo ksmbd
filename:       /lib/modules/5.15.0-56-generic/kernel/fs/ksmbd/ksmbd.ko
softdep:        pre: crc32
softdep:        pre: gcm
softdep:        pre: ccm
softdep:        pre: aead2
softdep:        pre: sha512
softdep:        pre: sha256
softdep:        pre: cmac
softdep:        pre: aes
softdep:        pre: nls
softdep:        pre: md5
softdep:        pre: md4
softdep:        pre: hmac
softdep:        pre: ecb
license:        GPL
description:    Linux kernel CIFS/SMB SERVER
version:        3.4.2
author:         Namjae Jeon <[email protected]>
srcversion:     0DFDD5D3D1E59E4DF8E8D62
depends:        ib_core,rdma_cm
retpoline:      Y
intree:         Y
name:           ksmbd
vermagic:       5.15.0-56-generic SMP mod_unload modversions 
sig_id:         PKCS#7
signer:         Build time autogenerated kernel key
sig_key:        [REDACTED BY SPHEN]
sig_hashalgo:   sha512
signature:      [REDACTED BY SPHEN]

When I tried the "-d" switch, I got:

$ modinfo -d ksmb
modinfo: ERROR: Module ksmb not found.
$ modinfo -d ksmbd
Linux kernel CIFS/SMB SERVER

In fact, the -a, -d, -l, -p, -n and --filename switches all work, but the -F switch (which supersedes them), does not:

$ modinfo -a ksmbd
Namjae Jeon <[email protected]>
$ modinfo -d ksmbd
Linux kernel CIFS/SMB SERVER
$ modinfo -l ksmbd
GPL
$ modinfo -p ksmbd
$ modinfo -n ksmbd
/lib/modules/5.15.0-56-generic/kernel/fs/ksmbd/ksmbd.ko
$ modinfo --filename ksmbd
/lib/modules/5.15.0-56-generic/kernel/fs/ksmbd/ksmbd.ko
$ modinfo -F ksmbd
modinfo: ERROR: missing module or filename.

I found the same results in Ubuntu MATE 22.04, Ubuntu 22.04.1 and Ubuntu MATE 22.04.1. The latter two were installed from downloaded .iso files this morning. I performed the default installations into virtual machines. The Ubuntu MATE 22.04 is fully Software Updater, apt updated, and apt upgraded, but no other recent changes or installations. The same results also appear in newly downloaded and installed Ubuntu 22.04.1 and Ubuntu MATE 22.04.1.

I am bothered when a vulnerability report does not get the "check if you have the issue" command correct in its reporting, but that appears to be what has happened here. At this point, I have no definitive command that shows whether the module is merely "available" or it is actually loaded and a potential vulnerability.

I ran nmap scans of all three, and none have any ports open. They are installed as desktop virtual machines.