| Title | CIFSwitch Vulnerability Exposes Some Linux Distros to Local Root Access | |
| Date | Tuesday June 02, @03:39AM | |
| Author | hubie | |
| Topic | ||
| from the dept. | ||
A newly disclosed Linux local privilege escalation vulnerability, CIFSwitch, allows an unprivileged local user to gain root access on certain systems via the Linux kernel's CIFS client and the cifs-utils userspace helper. CIFS, also known as SMB, is a network file-sharing protocol commonly used to access Windows file shares from Linux and other platforms.
Security researcher Asim Manizada disclosed the issue, describing it as a non-universal Linux local root vulnerability since exploitability depends on specific distribution configurations. A public proof-of-concept exploit is available, increasing the urgency for patching and mitigation on affected systems.
CIFSwitch exists at the interface between the kernel CIFS client and cifs.upcall, the cifs-utils helper for Kerberos-authenticated CIFS/SMB mounts. While CIFS is commonly associated with Windows file shares, Linux systems can also mount SMB shares using the kernel CIFS client.
The vulnerability arises from how CIFS uses Linux keyrings. Normally, the kernel requests a cifs.spnego key, and the system's request-key configuration launches cifs.upcall as root to handle Kerberos/SPNEGO authentication.
According to the disclosure, the vulnerability allows an unprivileged userspace process to request a forged cifs.spnego key description. The kernel failed to properly reject descriptions not originating from kernel CIFS, and the default request-key rule could still launch cifs.upcall as root.
The userspace helper then parsed attacker-controlled fields, including pid, uid, creduid, and upcall_target, as if they were generated by the kernel. By setting upcall_target=app, the helper could switch into a namespace controlled by the attacker.
The attack is particularly dangerous because account lookup through NSS can occur before the final privilege drop. In this state, a namespace-local NSS configuration and module can be loaded by the root helper, enabling attacker-controlled code to run with root privileges.
[...] The good news is that CIFSwitch does not affect every Linux system by default. The researcher lists several required conditions: a vulnerable kernel, an affected cifs-utils version, the default cifs.spnego request-key rule, enabled unprivileged user and mount namespaces, and SELinux or AppArmor policies that do not block the attack chain.
The tested stock-exploitable systems listed in the disclosure include Linux Mint 21.3 and 22.3, CentOS Stream 9, Rocky Linux 9, Kali Linux 2021.4 through 2026.1 headless, AlmaLinux 9.7 and Azure cloud image, SLES 15 SP7, SLES SAP 15 SP7, and SLES SAP 16 with SELinux permissive.
Other systems are listed as exploitable under the default policy only if cifs-utils is installed manually. That group includes Ubuntu 18.04 LTS, 20.04 LTS, and 22.04 LTS, Debian 11 "Bullseye", 12 "Bookworm", and 13 "Trixie", Pop!_OS 22.04 and 24.04, openSUSE Leap 15.6, Rocky Linux 8 GenericCloud, Oracle Linux 8 and 9 KVM images, and Amazon Linux 2023 with SELinux permissive.
| Links |
printed from SoylentNews, CIFSwitch Vulnerability Exposes Some Linux Distros to Local Root Access on 2026-06-17 08:00:38