A critical vulnerability has been identified in the Linux kernel that has persisted for 19 years, enabling low-privileged users to gain root access across various Linux distributions.
Understanding the CIFSwitch Vulnerability
The flaw, named CIFSwitch, affects the CIFS subsystem of the Linux kernel and the cifs-utils userspace helper associated with it. This subsystem manages aspects of the SMB network filesystem protocol, including mounting shares and executing read/write operations, as well as server communications.
The vulnerability arises during the authentication of a mount, where a request_key call is made for a cifs.spnego key. This process involves user space validation and invokes cifs.upcall as the root user to interpret the key description, containing fields like UID, PID, and credential cache.
Exploitation and Impact
Asim Viladi Oglu Manizada, a security engineer at SpaceX, highlighted that the kernel fails to verify the origin of the request or the key description. This oversight allows attackers to directly invoke the request_key function, supplying their own key description fields and bypassing the CIFS origin checks.
Since the cifs.upcall is executed with root privileges, attackers can manipulate the key description to gain root access by switching to the namespaces of the supplied PID. Additionally, before privileges are dropped, the helper performs account lookups through the Name Service Switch (NSS), which can be exploited by attackers using fake NSS configurations and modules.
Addressing the Security Threat
To mitigate this vulnerability, Manizada suggests ensuring that key descriptions are deemed legitimate only when CIFS utilizes its private spnego_cred. Moreover, user-space hardening measures should be implemented to verify if the key description is genuinely generated by the kernel.
Distributions such as Linux Mint, CentOS, Rocky Linux, Kali Linux, AlmaLinux, and SLES SAP are at risk if cifs-utils is installed by default. However, others like Ubuntu, Fedora, CentOS, and openSUSE have default measures to block the exploit path. Notably, Amazon Linux 2 KVM and certain Kali Linux versions remain unaffected.
Earlier this month, major Linux distributions released patches to address this security concern. Manizada has also shared proof-of-concept code to assist defenders in validating patches and mitigations.
For more information, explore related vulnerabilities such as DirtyDecrypt and Fragnesia, which also pose root privilege escalation threats.
