The Flaw
Security researcher Asim Manizada has uncovered a privilege escalation vulnerability in the Linux kernel’s CIFS client and the associated cifs-utils userspace package. The flaw, tracked internally as CIFSwitch, allows a low-privileged user to gain full root access by exploiting a gap in validation between the kernel and the userspace helper responsible for Kerberos and SPNEGO authentication.
When a userspace process requests a CIFS key, the kernel uses a keyring to call request_key() for the cifs.spnego key type. The key description is a string that should only come from the kernel’s CIFS subsystem. Manizada found that the kernel did not verify the origin of this description, meaning any unprivileged process could craft a malicious request. Because the system’s request-key configuration dispatches the cifs.Upcall helper as root, an attacker can hijack this mechanism to run arbitrary commands with elevated privileges.
Impact and Mitigation
Manizada has published a technical write-up and proof-of-concept code to help system administrators assess their exposure. The vulnerability was disclosed under a coordinated embargo, and upstream kernel patches are already available. The exploit relies on forging two elements within the key description: the PID and the upcall_target. By setting upcall_target=app and providing a malicious PID, an attacker forces the privileged helper to operate on attacker-controlled input, leading to root execution.
Affected Linux distributions have been notified, and administrators are strongly advised to apply the kernel patches as soon as possible. The vulnerability highlights the risks in complex kernel-userspace interactions, especially when privilege boundaries are maintained by trusted strings that are not adequately validated.
Source: Cyber Security News
