Linux Kernel SMB Client Kerberos Mount Credential Handling Vulnerability

A vulnerability in the Linux kernel's SMB client implementation can lead to incorrect credential handling during Kerberos-secured mounts. This issue arises because the client reuses the SMB session from the first mount, disregarding any different username options specified for subsequent mounts. As a result, mounts may fail due to the absence of the expected Kerberos principal in the keytab file. The vulnerability affects the Linux kernel's SMB client when using the username mount option with Kerberos security, a scenario supported by cifs-utils since version 4.8.

Impact

The vulnerability can cause Kerberos mounts to fail by incorrectly reusing SMB sessions, leading to authentication errors when the specified username principal is not found in the keytab.

Reproduction

To reproduce this issue, first create a keytab entry for a test user principal. Then, mount a CIFS share using the 'sec=krb5' option and the username of the test user. After this initial mount, attempt to mount another share with a different username, which should fail with an 'ENOKEY' error, indicating that the specified principal does not exist in the keytab. However, due to the vulnerability, the client will incorrectly reuse the session from the first mount, causing the second mount to succeed with the wrong credentials.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux documentation or through the package management system of the Linux distribution in use.