A recent vulnerability in the Linux kernel, identified as ‘CIFSwitch’, poses a significant security risk by allowing low-privileged users to obtain root access. This issue arises from a logic flaw between the Linux kernel’s CIFS client and the userspace cifs-utils package.
Discovery and Technical Details
The vulnerability was uncovered by security researcher Asim Manizada, who has provided a detailed analysis and proof-of-concept (PoC) to aid in the assessment of exposure and validation of patches. The problem originates from inadequate validation of key descriptions in the CIFS.Spnego key type, enabling unprivileged users to impersonate privileged kernel requests.
An AI-assisted, multihop reasoning approach was used to discover the flaw, which involves creating semantic graphs of security-relevant objects and flows. This technique allows for the chaining of minor logic flaws into an effective exploit.
Impact and Exploitation
The vulnerability was disclosed following an embargo with Linux distributions, and kernel patches are now available. CIFS/SMB, a Windows-style network filesystem protocol on Linux, is affected, as the kernel CIFS client handles essential filesystem operations while Kerberos/SPNEGO authentication is managed by the root-privileged cifs-upcall provided by cifs-utils.
The kernel’s request_key() call for CIFS.Spnego keys passes a trusted description string with server, UID, PID, and namespace target parameters. However, Manizada’s research revealed that the kernel did not ensure the origin of these descriptions before treating them as trusted.
Security Measures and Recommendations
Exploitation requires a vulnerable kernel, a compatible cifs-utils version, and unprivileged user namespace creation. Many mainstream Linux distributions have been found vulnerable out-of-the-box when cifs-utils is present, while others require adjustments to Linux Security Module (LSM) policies.
The kernel patch introduces a vet_description hook for the CIFS.Spnego key type to verify that descriptions are requested under the CIFS client’s internal spnego_cred. This measure prevents unprivileged userspace from posing as the kernel. Additional hardening is advised to ensure cifs-upcall does not blindly trust kernel-originated descriptions.
Administrators are urged to implement backported kernel patches swiftly and consider further security measures. These include disabling unused CIFS features, removing cifs-utils, refining request-key rules for CIFS.Spnego, and limiting unprivileged user namespaces to bolster security.
For ongoing updates on this and other security issues, follow us on Google News, LinkedIn, and X.
