CIFSwitch Linux Kernel Bug: Any Logged-In User Gets Root

A 19-year-old local privilege escalation in the Linux kernel's CIFS subsystem lets any logged-in user become root with one command. CIFSwitch was disclosed May 27th — researcher Asim Manizada published a working proof-of-concept on GitHub. The kernel's CIFS code doesn't verify whether a cifs.spnego key request actually came from the kernel itself. An unprivileged user can forge the same request from userspace, which causes the kernel to run the cifs.upcall helper as root. The helper then switches into the user's namespace and looks up the user account while still running as root — and that lookup loads NSS modules from the attacker's controlled namespace, giving them arbitrary code execution as root. There is no remote vector; the attacker has to already have an account on the box. Default installs of Linux Mint 21.3/22.3, CentOS Stream 9, Rocky 9, AlmaLinux 9, Kali Linux, and SLES 15 SP7 are vulnerable; Ubuntu, Debian, Pop_OS, openSUSE, Oracle Linux, and Amazon Linux are exposed if cifs-utils is installed. The upstream kernel patch is merged; distro updates are rolling out. On systems where the patch hasn't landed, AppArmor and SELinux defaults block exploitation, and uninstalling cifs-utils removes the attack surface entirely if you don't mount Windows shares. Sources: https://heyitsas.im/posts/cifswitch/ https://www.bleepingcomputer.com/news/security/new-cifswitch-linux-flaw-gives-root-on-multiple-distributions/ More on cybersecurity, privacy, scams, and homelab on Hake Hardware. New shorts every weekday. #cybersecurity #linux #linuxsecurity #kernel #privilegeescalation