New CIFSwitch Vulnerability in Linux Enables Full Root Compromise
Key points :
- The CIFSwitch vulnerability allows any local user without administrator privileges to gain full root access on Linux systems running cifs-utils 6.14 or later with CIFS enabled.
- The vulnerability remained hidden in the Linux ecosystem since 2007 and was discovered using AI-based semantic graph analysis instead of traditional manual code review methods.
- Security researchers confirmed successful exploitation on multiple Linux distributions, including Linux Mint, Kali Linux, Rocky Linux, AlmaLinux, CentOS Stream 9, and several SUSE Enterprise versions, with a public proof-of-concept (PoC) exploit now available.
CIFSwitch Vulnerability Details:
The newly discovered local privilege escalation (LPE) vulnerability, dubbed CIFSwitch, exposes a critical design flaw in the Linux kernel’s CIFS (Common Internet File System) client that has been latent since 2007.
The bug allows any low-privileged local user to elevate themselves to full root access by exploiting a missing validation check between the kernel CIFS subsystem and the userspace `cifs-utils` helper.
This vulnerability is especially concerning given that it is the fourth major Linux kernel privilege escalation requiring immediate action in just a matter of weeks, following recent flaws like “Copy Fail,” “Dirty Frag,” and “Fragnesia”. With a public Proof-of-Concept (PoC) already released, system administrators must act immediately to prevent unauthorized root access.
The root cause
The kernel lacks a `.vet_description` hook for the cifs_spnego_key_type. This omission means the kernel does not verify whether a request for a `cifs.spnego` key originated from the trusted CIFS subsystem or from a malicious user process.
An attacker can exploit this by calling `request_key()` or `add_key()` directly, forging the key description to include malicious parameters like `pid` and upcall_target.
How the Exploit Works
For exploitation requires a vulnerable kernel, a compatible cifs-utils version, and unprivileged user namespace creation. Many mainstream Linux distributions have been found vulnerable out-of-the-box when cifs-utils is present, while others require adjustments to Linux Security Module (LSM) policies.
- Fake Request Creation:
An attacker with basic local access creates a fake cifs.spnego request and sends it to the Linux kernel. - Root Privilege Abuse:
The kernel automatically launches the cifs.upcall helper tool with root privileges, trusting the request as legitimate.- Namespace Hijacking:
By abusing Linux namespace settings, the attacker tricks the root process into operating inside an attacker-controlled environment.
- Namespace Hijacking:
- Malicious Code Execution:
The attacker places a fake nsswitch.conf file and a malicious shared library inside this environment. When the root process performs a system lookup, it unknowingly loads and executes the attacker’s malicious code as root. - Full Root Access:
The public proof-of-concept exploit ultimately adds a NOPASSWD: ALL entry to the sudoers configuration, allowing the attacker to gain unrestricted root access to the Linux system.
Asim Manizada has published the full technical write-up (“CIFSwitch”) and the PoC exploit on GitHub to support defenders, maintainers, and incident responders in verifying mitigations and patch coverage.
Recommendation on security patches
The kernel patch introduces a vet_description hook for the CIFS.Spnego key type to verify that descriptions are requested under the CIFS client’s internal spnego_cred.
This measure prevents unprivileged userspace from posing as the kernel. Additional hardening is advised to ensure cifs-upcall does not blindly trust kernel-originated descriptions.
Administrators should urgently deploy the backported kernel patches and consider defense-in-depth measures such as disabling CIFS where unused, removing cifs-utils, and tightening request-key rules for cifs. spnego, and restricting unprivileged user namespaces.
Recent Comments