Login
Get a Demo
Become a Partner
SOCRadar® Cyber Intelligence Inc. | All You Need to Know About the Linux Kernel ksmbd Remote Code Execution (ZDI-22-1690) Vulnerability
Table Of Content
Home

Resources

Blog
Ara 24, 2022
3 Mins Read

All You Need to Know About the Linux Kernel ksmbd Remote Code Execution (ZDI-22-1690) Vulnerability

Five new vulnerabilities, one of which has a severity rating of 10 according to the Common Vulnerability Scoring System (CVSS), have been announced by the Zero Day Initiative (ZDI).

What is the ZDI-22-1690 Vulnerability?

The most serious of the five, ZDI-22-1690, enables remote attackers to run arbitrary code on vulnerable Linux Kernel systems. There is no need for authentication to take advantage of this vulnerability, but only systems with ksmbd enabled are at risk.

SOCRadar Vulnerability Intelligence screen shows you the latest CVE trends.
SOCRadar Vulnerability Intelligence screen shows you the latest CVE trends.

How Critical is the ZDI-22-1690 Vulnerability?

Even though no CVE ID was assigned yet, the ZDI rated the vulnerability a 10 on the CVSS (Common Vulnerability Scoring System) scale. All vulnerable systems must be patched as soon as possible. 

Which Versions and Distributions of Linux are Vulnerable?

Any distribution using the Linux kernel 5.15 or above is potentially at risk. For example, Ubuntu 22.04, and its descendants, Deepin Linux 20.3 and Slackware 15 use this kernel. On the other’s hand, the Red Hat Enterprise Linux (RHEL) family should not use the 5.15 kernel.

If you have a vulnerable version, you should upgrade your kernel to Linux 5.15.61.

How Does ZDI-22-1690 Vulnerability Work?

As mentioned above, ZDI-22-1690 enables remote attackers to run arbitrary code on vulnerable Linux Kernel systems. Since there is no need for authentication to take advantage of this vulnerability, vulnerable systems are at significant risk. However, only systems with ksmbd enabled are vulnerable.

The SMB2 TREE DISCONNECT command processing is where the specific flaw is found. The problem arises from failing to validate an object’s existence before performing operations. Using this flaw, an attacker might run code within the kernel.

Are there any exploits in the wild for ZDI-22-1690?

So far, there is no indication of being actively exploited in the wild.

Are there any threat actors actively exploiting ZDI-22-1690?

There are no known specific threat actors or groups that have exploited ZDI-22-1690.

Is There Any Mitigation or Patch Available?

To address this vulnerability, a new version has been released. Click here for more details.

How to Detect This Vulnerability?

If you are unsure which kernel is used in your system, follow the steps explained here.

  • You must instantly learn critical vulnerabilities on your Attack Surface to protect yourself from zero-days and dangerous exploits. You can try the Free Edition SOCRadar EASM to learn how to protect yourself.
Related Articles
SOCRadar® Cyber Intelligence Inc. | Major Cyber Attacks in Review: March 2024
Major Cyber Attacks in Review: March 2024
Nis 16, 2024
SOCRadar® Cyber Intelligence Inc. | Cyber Reflections of Iran's Attack on Israel
Cyber Reflections of Iran's Attack on Israel
Nis 15, 2024
SOCRadar® Cyber Intelligence Inc. | Critical PHP Vulnerabilities: Update Now to Prevent Takeovers and Command Injection (CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, CVE-2024-2757)
Critical PHP Vulnerabilities: Update Now to Prevent Takeovers and Command Injection (CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, CVE-2024-2757)
Nis 15, 2024
SOCRadar® Cyber Intelligence Inc. | Critical OS Command Injection Vulnerability in Palo Alto's GlobalProtect Gateway: CVE-2024-3400. The patch is not available yet.
Critical OS Command Injection Vulnerability in Palo Alto's GlobalProtect Gateway: CVE-2024-3400. The patch is not available yet.
Nis 12, 2024
SOCRadar® Cyber Intelligence Inc. | Microsoft’s April 2024 Patch Tuesday, 149 Vulnerabilities Patched, Including 2 Zero-Day Vulnerabilities
Microsoft’s April 2024 Patch Tuesday, 149 Vulnerabilities Patched, Including 2 Zero-Day Vulnerabilities
Nis 10, 2024