Local Privilege Escalation “CIFSwitch” Gives Root on Major Linux Distributions
What Happened – Researchers disclosed a new Linux kernel flaw, dubbed CIFSwitch, that lets an unprivileged user forge CIFS SPNEGO key requests, abuse the kernel’s key‑request mechanism, and obtain root privileges. The vulnerability affects multiple Linux distributions that ship vulnerable kernel CIFS and cifs‑utils versions (≥ 6.14).
Why It Matters for TPRM –
- Any third‑party service that runs on affected Linux hosts (cloud VMs, SaaS back‑ends, on‑prem servers) could be compromised by a malicious insider or a breached user.
- Root compromise enables attackers to bypass existing security controls, install persistence mechanisms, and exfiltrate data from downstream services.
- Patch cycles vary across vendors; some widely‑used distros remain vulnerable in default configurations.
Who Is Affected – Cloud‑hosted workloads, SaaS platforms, managed service providers, and any organization that relies on Linux distributions such as Linux Mint, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux, SLES 15 SP7, Ubuntu, Debian, Pop!_OS, openSUSE, Oracle Linux, etc.
Recommended Actions –
- Inventory all Linux assets and verify kernel and cifs‑utils versions.
- Apply vendor‑supplied patches or upgrade to kernel 6.15+ where available.
- If immediate patching isn’t possible, mitigate by disabling CIFS mounts that use Kerberos/SPNEGO or enforcing SELinux/AppArmor policies that block the cifs.upcall helper.
- Review privileged‑access monitoring and enforce least‑privilege for local accounts.
Technical Notes – The flaw resides in the CIFS subsystem’s handling of cifs.spnego key requests. An attacker can craft a malicious request, trigger a namespace switch, and load a malicious NSS module before privileges are dropped, achieving root code execution. Exploitation requires a vulnerable kernel, matching cifs‑utils, user namespaces enabled, and permissive SELinux/AppArmor policies. Source: BleepingComputer