CIFSwitch Vulnerability Exposes Some Linux Distros to Local Root Access
An Anonymous Coward writes:
A newly disclosed Linux local privilege escalation vulnerability, CIFSwitch, allows an unprivileged local user to gain root access on certain systems via the Linux kernel's CIFS client and the cifs-utils userspace helper. CIFS, also known as SMB, is a network file-sharing protocol commonly used to access Windows file shares from Linux and other platforms.
Security researcher Asim Manizada disclosed the issue, describing it as a non-universal Linux local root vulnerability since exploitability depends on specific distribution configurations. A public proof-of-concept exploit is available, increasing the urgency for patching and mitigation on affected systems.
CIFSwitch exists at the interface between the kernel CIFS client and cifs.upcall, the cifs-utils helper for Kerberos-authenticated CIFS/SMB mounts. While CIFS is commonly associated with Windows file shares, Linux systems can also mount SMB shares using the kernel CIFS client.
The vulnerability arises from how CIFS uses Linux keyrings. Normally, the kernel requests a cifs.spnego key, and the system's request-key configuration launches cifs.upcall as root to handle Kerberos/SPNEGO authentication.
According to the disclosure, the vulnerability allows an unprivileged userspace process to request a forged cifs.spnego key description. The kernel failed to properly reject descriptions not originating from kernel CIFS, and the default request-key rule could still launch cifs.upcall as root.
The userspace helper then parsed attacker-controlled fields, including pid, uid, creduid, and upcall_target, as if they were generated by the kernel. By setting upcall_target=app, the helper could switch into a namespace controlled by the attacker.
Read more of this story at SoylentNews.