SOCRadar® Cyber Intelligence Inc. | All You Need to Know About the Linux Kernel ksmbd Remote Code Execution (ZDI-22-1690) Vulnerability
Home

Resources

Blog
Dec 24, 2022
3 Mins Read

All You Need to Know About the Linux Kernel ksmbd Remote Code Execution (ZDI-22-1690) Vulnerability

Five new vulnerabilities, one of which has a severity rating of 10 according to the Common Vulnerability Scoring System (CVSS), have been announced by the Zero Day Initiative (ZDI).

What is the ZDI-22-1690 Vulnerability?

The most serious of the five, ZDI-22-1690, enables remote attackers to run arbitrary code on vulnerable Linux Kernel systems. There is no need for authentication to take advantage of this vulnerability, but only systems with ksmbd enabled are at risk.

SOCRadar Vulnerability Intelligence screen shows you the latest CVE trends.
SOCRadar Vulnerability Intelligence screen shows you the latest CVE trends.

How Critical is the ZDI-22-1690 Vulnerability?

Even though no CVE ID was assigned yet, the ZDI rated the vulnerability a 10 on the CVSS (Common Vulnerability Scoring System) scale. All vulnerable systems must be patched as soon as possible. 

Which Versions and Distributions of Linux are Vulnerable?

Any distribution using the Linux kernel 5.15 or above is potentially at risk. For example, Ubuntu 22.04, and its descendants, Deepin Linux 20.3 and Slackware 15 use this kernel. On the other’s hand, the Red Hat Enterprise Linux (RHEL) family should not use the 5.15 kernel.

If you have a vulnerable version, you should upgrade your kernel to Linux 5.15.61.

How Does ZDI-22-1690 Vulnerability Work?

As mentioned above, ZDI-22-1690 enables remote attackers to run arbitrary code on vulnerable Linux Kernel systems. Since there is no need for authentication to take advantage of this vulnerability, vulnerable systems are at significant risk. However, only systems with ksmbd enabled are vulnerable.

The SMB2 TREE DISCONNECT command processing is where the specific flaw is found. The problem arises from failing to validate an object’s existence before performing operations. Using this flaw, an attacker might run code within the kernel.

Are there any exploits in the wild for ZDI-22-1690?

So far, there is no indication of being actively exploited in the wild.

Are there any threat actors actively exploiting ZDI-22-1690?

There are no known specific threat actors or groups that have exploited ZDI-22-1690.

Is There Any Mitigation or Patch Available?

To address this vulnerability, a new version has been released. Click here for more details.

How to Detect This Vulnerability?

If you are unsure which kernel is used in your system, follow the steps explained here.

  • You must instantly learn critical vulnerabilities on your Attack Surface to protect yourself from zero-days and dangerous exploits. You can try the Free Edition SOCRadar EASM to learn how to protect yourself.