Critical CIFSwitch Linux Vulnerability Grants Root Access Across Various Distributions

New CIFSwitch Linux Flaw Allows Root Access on Multiple Distributions

A recently identified vulnerability in the Linux kernel, known as ‘CIFSwitch,’ has raised concerns due to its potential to enable local privilege escalation. Attackers could exploit this flaw to manipulate CIFS authentication key descriptions, exploit the kernel’s key request mechanism, and gain root privileges.

This vulnerability impacts various Linux distributions that include vulnerable combinations of the kernel’s CIFS and cifs-utils (versions 6.14 and above, with some older variants also affected).

CIFS, or Common Internet File System, is a networking protocol used to access files, folders, and devices across a local network. Linux relies on CIFS to interact with remote systems, allowing users to mount, read, and write data.

When a CIFS network share utilizes Kerberos for authentication, the Linux kernel relies on a user-space helper program to handle authentication, with the cifs-utils collection of tools acting as an intermediary.

The discovery of the CIFSwitch vulnerability was credited to Asim Viladi Oglu Manizada, a SpaceX security engineer. The flaw arises from the kernel’s CIFS subsystem failing to verify the origin of cifs.spnego key requests, potentially enabling unprivileged users to trigger authentication processes.

By forging cifs.spnego requests, attackers can manipulate the authentication workflow, exploiting the trust relationship between the root-privileged cifs.upcall helper and the kernel-generated fields. This manipulation could lead to a namespace switch, facilitating a Name Service Switch (NSS) lookup that enables a local attacker to load a malicious NSS module and execute root-level code.

Manizada’s technical report delves into the root cause of the vulnerability and elaborates on how it can be leveraged for privilege escalation.

Impact, Fixes, and Exploitation

According to Manizada, CIFSwitch was introduced 19 years ago in 2007 and its exploitation depends on various factors, including the kernel version, cifs-utils version, the presence of user namespaces, and SELinux/AppArmor configurations.

Notable vulnerable distributions, as confirmed by Manizada, include Linux Mint 21.3/22.3, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux 2021.4–2026.1, and SLES 15 SP7. Additionally, several Ubuntu, Debian, Pop!_OS, openSUSE, Oracle Linux, and Amazon Linux versions may be vulnerable if ‘cifs-utils’ is installed.

However, certain distributions like Ubuntu 26.04, Fedora 40-44, CentOS Stream 10, Rocky Linux 10, SLES 16, AlmaLinux 10, and openSUSE Leap 16 have default SELinux/AppArmor settings that mitigate the exploitation of CIFSwitch. Amazon Linux 2 and Kali Linux 2019.4 and 2020.4 are not affected due to the absence of namespace-switch functionality in their cifs-utils versions.

The CIFSwitch vulnerability has been addressed through a kernel patch that validates the origin of cifs.spnego requests. The specific kernel versions containing this patch vary across distributions.

Manizada recommends users to disable or blacklist the CIFS module if not in use, uninstall unnecessary cifs-utils packages, and disable unprivileged user namespaces to mitigate the risk.

Furthermore, Manizada has shared a proof-of-concept exploit for CIFSwitch to assist organizations in validating the effectiveness of applied patches and mitigations.

CIFSwitch is the latest in a series of privilege escalation vulnerabilities affecting Linux systems, following disclosures of ‘Copy Fail,’ ‘Dirty Frag,’ ‘Fragnesia,’ ‘DirtyDecrypt,’ and ‘PinTheft.’