GoKawiilA newly discovered local privilege escalation vulnerability dubbed 'CIFSwitch' in the Linux kernel could allow attackers to forge CIFS authentication key descriptions, abuse the kernel's key request mechanism, and gain root privileges.
The issue impacts multiple Linux distributions that ship vulnerable combinations of the kernel CIFS and cifs-utils (versions 6.14 and higher, although some older variants are also affected).
CIFS (Common Internet File System) is a networking protocol that allows access to files, folders, and devices across a local network. Linux uses it to mount, read, and write data from remote systems.
If a CIFS network share uses Kerberos for authentication, the Linux kernel asks a helper program in user space to perform authentication, with the cifs-utils collection of user-space tools serving as the intermediary.
"The kernel requests a cifs.spnego-type key, and the normal keyutils/request-key config runs cifs.upcall as root to fetch or build the Kerberos/SPNEGO material," explains Asim Viladi Oglu Manizada, a SpaceX security engineer who discovered and named the CIFSwitch privilege escalation vulnerability in Linux.
The researcher says that the problem consists of the Linux kernel's CIFS subsystem failing to verify that cifs.spnego key requests originate from the kernel's CIFS client.
As a result, an unprivileged user can create a forged cifs.spnego request and trigger the normal authentication workflow.
A cifs.spnego key request is used by the Linux keyring subsystem to obtain authentication data needed by the CIFS/SMB client when connecting to a network share using Kerberos/SPNEGO authentication.
The flaw allows the root-privileged cifs.upcall helper to trust attacker-controlled fields that it assumes were generated by the kernel.
By abusing these fields to force a namespace switch and then triggering a Name Service Switch (NSS) lookup before privileges are dropped, a local attacker can load a malicious NSS module and achieve root code execution.
... continue reading