New flaw in CIFSwitch Linux grants root on multiple distributions

A newly found native privilege escalation vulnerability within the Linux kernel known as CIFSwitch may enable an attacker to forge a CIFS authentication key description, abuse the kernel’s key request mechanism, and achieve root privileges.

This difficulty impacts a number of Linux distributions (beginning with model 6.14, however some older variations are additionally affected) that ship a susceptible mixture of kernel CIFS and cifs-utils.

CIFS (Frequent Web File System) is a community protocol that permits entry to information, folders, and units over a neighborhood community. Linux makes use of this to mount, learn, and write information from distant techniques.

When a CIFS community share makes use of Kerberos for authentication, the Linux kernel requires a user-space helper program to carry out the authentication, and the cifs-utils assortment of user-space instruments acts as an middleman.

“The kernel requests a key of sort cifs.spnego, and the conventional keyutils/request-key configuration runs cifs.upcall as root to fetch or construct Kerberos/SPNEGO materials,” explains SpaceX safety engineer Asim Viladi Oglu Manizada, who found and named the CIFSwitch privilege escalation vulnerability in Linux.

Based on researchers, the issue is that the Linux kernel’s CIFS subsystem is unable to confirm that the cifs.spnego key request originates from the kernel’s CIFS consumer.

Because of this, an unauthorized person may make a bogus cifs.spnego request and set off the conventional authentication workflow.

The cifs.spnego key request is utilized by the Linux keyring subsystem to acquire authentication information required by CIFS/SMB purchasers when connecting to community shares utilizing Kerberos/SPNEGO authentication.

This flaw permits the cifs.upcall helper with root privileges to belief attacker-controlled fields which are assumed to be generated by the kernel.

By exploiting these fields to pressure a namespace swap and set off a Identify Service Change (NSS) lookup earlier than privileges are eliminated, a neighborhood attacker can load a malicious NSS module and execute root code.

Manizada has printed an in depth technical report explaining the reason for the issue and the way it may be used to achieve root privileges.

Affect, fixes, and exploits

Manizada mentioned CIFSwitch was launched 19 years in the past in 2007. It added that CIFSwitch is “non-universal” and its exploitation relies on a number of elements, together with a susceptible kernel model.

Different conditions embrace a susceptible cifs-utils model, person namespace availability, and SELinux/AppArmor insurance policies that don’t block assaults.

A number of the distributions that Manizada has recognized as susceptible with default settings are:

• Linux Mint 21.3/22.3
• CentOS Stream 9
• rocky linux 9
• Almarinax 9
• Cali Linux 2021.4–2026.1
• SLES 15 SP7

Researchers famous that varied variations of Ubuntu, Debian, Pop!_OS, openSUSE, Oracle Linux, and Amazon Linux is also susceptible if “cifs-utils” is put in.

Nevertheless, in some variations, resembling Ubuntu 26.04, Fedora 40-44, CentOS Stream 10, Rocky Linux 10, SLES 16, AlmaLinux 10, and openSUSE Leap 16, default SELinux/AppArmor settings stop CIFSwitch exploitation.

Moreover, Amazon Linux 2, Kali Linux 2019.4 and 2020.4 should not affected in any respect as their cifs-utils variations don’t have namespace switching performance.

CIFSwitch is fastened with a kernel patch that provides validation of the origin of cifs.spnego requests (upstream commit 3da1fdf), however the precise kernel model that the patch ships with varies by distribution.

Researchers advocate that customers disable or blacklist the CIFS module if it’s not used, take away the cifs-utils package deal if it’s not wanted, and disable unprivileged person namespaces.

Manizada has printed a proof-of-concept (PoC) exploit for CIFSwitch to assist organizations validate the effectiveness of utilized patches and mitigations.

CIFSwitch is the most recent in a collection of not too long ago disclosed privilege escalation flaws affecting Linux techniques, together with “Copy Fail,” “Soiled Frag,” “Fragnesia,” “DirtyDecrypt,” and “PinTheft.”