German security researcher Stefan Esser has discovered multiple vulnerabilities in smbfs, the mountable SMB (Server Message Block) file system for Linux.
In an advisory made public Wednesday, Esser said the bugs theoretically could crash the kernel or leak kernel memory with the help of the SMB server. The alert carries a “moderately critical” rating.
The vulnerabilities have been corrected in Linux 2.4.28. A final patch for the 2.6 kernel is being developed.
The flaws were discovered during a code audit done by German security consulting firm e-matters GmbH, where Esser is chief security officer. In the alert, the company said an attacker would need to have control over the answers of the connected SMB server to exploit the flaws.
This could be achieved by man-in-the-middle attacks or by taking over the SMB server through a recently disclosed vulnerability in Samba 3.x, the company said. Samba is an open-source implementation of Microsofts SMB/CIFS protocol for file and printer sharing.
Samba is used to allow a non-Windows server to communicate with the same networking protocol as the Windows products, while smbfs is a kernel module that provides a client for the same protocol.
“While any of these vulnerabilities can be easily used as remote denial-of-service exploits against Linux systems, it is unclear if it is possible for a skilled local or remote attacker to use any of the possible buffer overflows for arbitrary code execution in kernel space,” e-matters said.
Attack vectors include malicious data count overflow, malicious data offset information leak and several DoS (denial-of-service) scenarios.