Just what every Linux system administrator wants just before the holidays: A serious Linux kernel security bug. The Zero Day Initiative (ZDI), a zero-day security research firm, announced a new Linux kernel security bug. This hole allows authenticated remote users to disclose sensitive information and run code on vulnerable Linux kernel versions.
This new program, which was introduced to the kernel in 2021, was developed by Samsung. Its point was to deliver speedy SMB3 file-serving performance. SMB is used in Windows in Linux, via Samba as a vital file server protocol. Ksmbd is not intended to replace Samba but to complement it. Samba and ksmbd developers are working on getting the programs to work in concert.
That said, Jeremy Allison, Samba's co-creator, notes, "ksmbd shares no code with production Samba. It's completely from scratch. So, this current situation has nothing to do with the Samba file server you may be running on your systems."
Some people have wondered if this is such a big deal, then why hasn't it been given a Common Vulnerabilities and Exposures (CVE) number? Greg Kroah-Hartmann, the stable branch Linux kernel maintainer, explained, "kernel developers do not work with CVEs at all as they are not all that relevant for the most part for kernel issues." True, "Some Linux companies still insist on assigning CVEs, but that's primarily to help enable their internal engineering processes."
It's not just outsiders that have been concerned about ksmbd's security. Before this episode, Kees Cook, a senior Linux kernel security developer, wrote, "Some of these flaws are pretty foundational filesystem security properties that weren't being tested for, besides the upsetting case of having buffer overflows in an in-kernel filesystem server." Cook concluded, "I'm concerned about code quality here, and I think something needs to change about the review and testing processes."
Fixes were made, but this latest episode shows that the code needs more cleaning and securing before I, for one, am ready to trust it in production. You'd be wise to patch the kernel for now and hold off using it, too, in favor of Samba for the time being.