Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Reference:
Advisory #2024-33
Version:
1.0
Affected software:
Linux KSMBD prior to v6.8-rc6
Type:
RCE and Information Disclosure
CVE/CVSS:
CVE-2024-26592: CVSS 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-26594: CVSS 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L)
Advisory CVE-2024-26594 - https://www.zerodayinitiative.com/advisories/ZDI-24-194/
Advisory CVE-2024-26592 - https://www.zerodayinitiative.com/advisories/ZDI-24-195/
Patch CVE-2024-26592 - https://github.com/torvalds/linux/commit/38d20c62903d669693a1869aa68c4dd5674e2544
Patch CVE-2024-26594 - https://github.com/torvalds/linux/commit/92e470163d96df8db6c4fa0f484e4a229edb903d
CVE-2024-26592 and CVE-2024-26594 are vulnerabilities affecting Linux KSMBD file server.
A remote unauthenticated attacker could exploit CVE-2024-26594 to disclose sensitive information. This vulnerability can then be chained together with CVE-2024-26592 to leverage execution of arbitrary code in the context of the kernel. CVE-2024-26592 can also be exploited separately by a remote unauthenticated attacker.
Successful exploitation of these vulnerabilities might severely affect the availability, confidentiality and integrity of the targeted system. It is important to mention that only Linux systems that have ksmbd enabled are exposed to these vulnerabilities. A complete takeover of a file server appliance could have a critical impact on the rest of the devices connected to your network.
CVE-2024-26592 is a flaw in the handling of TCP connections and disconnections. The issue results from the lack of proper locking when performing operations on an object. To exploit this vulnerability an attacker must aim for the race condition between the handling of a new TCP connection and its disconnection. Successful exploitation leads to arbitrary code being executed in the context of the kernel.
CVE-2024-26594 is an information disclosure vulnerability. This is due to a flaw in the handling of SMB2 Mech tokens. During the handling there is a lack of proper validation of user supplied data. Inputting more data than allocated could lead to a buffer overflow disclosing information past the allocated memory.
These vulnerabilities can be chained together to achieve complete control over the system.
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Patch
Patches can be found on the official Linux distribution Github repository (https://github.com/torvalds/linux/releases).
Mitigate
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
SecurityOnline - https://securityonline.info/cve-2024-26592-26594-critical-linux-kernel-flaws-open-door-for-code-execution-and-data-theft/
National Vulnerability Database (NVD) - https://nvd.nist.gov/vuln/detail/CVE-2024-26592 & https://nvd.nist.gov/vuln/detail/CVE-2024-26594