Back to work, Linux admins: You may have a CVSS 10 kernel bug to address
In brief Merry Christmas, Linux systems administrators: here’s a kernel vulnerability with a CVSS score of 10 potentially in your SMB server. It can be exploited to achieve unauthenticated user remote code execution.
Yes, this sounds bad, and a severity score of 10 out of 10 isn’t reassuring at all. Luckily for the sysadmins reaching for more brandy to pour in that eggnog, the flaw doesn’t appear to be that widespread.
Discovered the Thalium Team vulnerability research team at French aerospace firm Thales Group in July, the vulnerability is specific to the ksmbd module that was added to the Linux kernel in version 5.15. Disclosure was responsibly held until a patch was issued.
Unlike that other popular SMB server for Linux, which runs in userspace, ksmbd operates in the kernel. That triggered alarm bells among some users discussing its merge last year.
SerNet, a German IT firm that offers its own version of Samba, said in a blog post that ksmbd was impressive, but said it appeared somewhat immature. Furthermore, the Samba+ team from SerNet said in a blog post, the value of adding an SMB server to kernel space might not be worth the risk to “squeeze the last bit of performance out of the available hardware.”
Developed by Samsung to implement server-side SMB3 with optimized performance and a smaller footprint, the ksmbd vulnerability could lead to an attacker leaking an SMB server’s memory, similar to the Heartbleed attack.
Fortunately, if you aren’t running Samsung’s “‘experimental’ ksmbd module,” as security researcher Shir Tamari described it on Twitter, and have stuck with Samba you’re perfectly safe.
“ksmbd is new; most users still use Samba and are not affected. Basically, if you are not running SMB servers with ksmbd, enjoy your weekend,” Tamari said on Twitter.
According to the Zero-Day Initiative, which disclosed the ksmbd vulnerability, the use-after-free flaw exists in the processing of SMB2_TREE_DISCONNECT commands. According to ZDI, the issue is due to ksmbd not validating the existence of objects prior to performing operations on them.
For those using ksmbd, there is a solution other than switching to Samba: Updating to Linux kernel version 5.15.61, released in August, or a newer version.
That kernel update also fixed a couple other issues in ksmbd, too: an out-of-bounds read for SMB2_TREE_CONNECT, which the patch note said could allow invalid requests not to validate messages, and a memory leak in smb2_handle_negotiate leading to memory not being properly freed.
Dodge “grift cards” by spending that holiday cash now
Lots of ready-made kit for would-be hackers can be found on the dark web; one trend recently noticed by the team at Cybersixgill has been gift card generators not only guess card numbers, but also check their validity by the thousands.
Like brute force password crackers, the tools being sold online randomly guess the digits of gift cards issued by companies like Amazon, Microsoft, Sony, Apple and others, with varying degrees of speed and accuracy based on how predictable a card’s number sequence is.
Those generators are often paired with “checkers” that will run the generated gift card numbers against an issuer’s website to look for balance or activation status, which is then returned to the criminal behind the keyboard.
Adi Bleih and Dov Lerner from Cybersixgill told The Register that using software of the kind being sold on the dark web to generate, guess and verify gift card numbers is easy enough that “a kid with Tor could do it,” they said.
When looking for cards, criminals don’t always look for fully loaded ones, or even wait for unactivated cards to go live: They’re out for cards with just a small balance remaining. “Those cards get forgotten about,” Bleih said, and cybercriminals can look for working cards “by the thousands” thanks to the tools easily found online.
The moral of this holiday story? If you get a gift card, spend it quickly, and spend it all; If you give one, urge the recipient to do the same.
Meta gets light wrist tap of $725m over Cambridge Analytica
Details of Meta’s settlement in the consumer lawsuits filed against it because of the Cambridge Analytica scandal, which was initially decided in August, hadn’t been revealed, but documents filed in the case this week indicate the price of Meta’s bad behavior is just $725 million.
Some 75 percent of that cash will go to the between 250 and 280 million Facebook users included in the class, lawyers for the plaintiffs told Reuters.
Still, the legal eagles say it’s the largest data privacy class action settlement in US history, and the most Meta has ever had to pay to resolve a legal case.
For those that have put Facebook’s data privacy scandal out of their minds, Cambridge Analytica was a data firm employed by the Donald Trump campaign in 2016. As part of its data harvesting operations, Cambridge Analytica created Facebook apps that collected data from tens of millions of users without their knowledge.
$725 million also may seem like a lot of money, but don’t forget the context: Meta’s revenue in Q3 of this year alone was $27.7 billion. Sure, Meta has cut its workforce and is hemorrhaging cash, but what’s another $725 million? ®
Editor’s note: This story was revised to clarify that 75 percent of the Facebook award will go to users, not 25 percent as we wrongly reported.
READ MORE HERE