New vulnerability from Zero Day initiative that's getting a lot of attention

#vulnintel #threatintel #linuxkernel

https://www.zerodayinitiative.com/advisories/ZDI-22-1690/

A few notes -
No CVE; not sure what's going on with this disclosure but I don't even see notes from the major enterprise Linux vendors?

The disclosure also doesn't actually state affected versions; the patch note in question identifies the kernel component as ksmbd, which is the new in-kernel SMB3 server they added in the 5.15 LTS release in October 2021, so scope is almost certainly extremely limited, at least in any enterprise environment.

As for exploitability, looking at the patch note again it states that the disconnect function leaves a dangling pointer, meaning you have to establish a connection first to have the object exist, so this is probably exploitable over SMB if you're running an SMB server using ksmbd.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability.

https://www.zerodayinitiative.com/advisories/ZDI-22-1690/

#threatintel #vulnintel