Skip to main content
Sign in

CloudLinux Knowledge Base

  1. CloudLinux
  2. CloudLinux OS
  3. Known Issues

CIFSwitch vulnerability exposure check and mitigation on CloudLinux

Pavel Razumov
  • Updated

Issue

Customers ask whether CloudLinux is affected by the CIFSwitch cifs.spnego local privilege escalation vulnerability, whether a CloudLinux or KernelCare fix is available, and how to check or mitigate exposure safely.

Common customer questions include:

  • Is CloudLinux aware of the CIFSwitch vulnerability?
  • Is a CloudLinux kernel or KernelCare patch planned?
  • Is a non-zero user.max_user_namespaces value safe on CloudLinux shared hosting servers?
  • How can customers check whether their server is exposed?
  • How can customers mitigate the issue without affecting hosted users?

 

Environment

  • CloudLinux OS 7h, 8, 9, or 10
  • CloudLinux for Ubuntu 22.04 LTS
  • CIFS / SMB client functionality
  • cifs-utils
  • KernelCare

Solution

Update - Patched CloudLinux kernels for CL7h and CL8 have been released in the beta channel and are rolling out to stable, with an immediate-install bypass command.

Target versions:
- CL7h: kernel-4.18.0-553.126.2.lve.el7h or newer
- CL8: kernel-4.18.0-553.126.2.lve.el8 or newer

To install immediately without waiting for the gradual stable rollout:
yum update cloudlinux-release --enablerepo=cloudlinux-updates-testing
yum update --enablerepo=cloudlinux-rollout-4-bypass 'kernel*'
reboot

Patched LTS kernels are released to the beta channel.

Target versions:
- CL8 LTS: kernel-lts-5.14.0-284.1101.el8.tuxcare.11.els2 or newer
- CL9 LTS: kernel-lts-5.14.0-284.1101.el9.tuxcare.11.els2 or newer

Update with:
dnf update 'kernel-lts*' --enablerepo=cloudlinux-updates-testing
reboot
Update - KernelCare livepatches have been promoted to the main feed for CL7h, CL8, and CL9 (including the AlmaLinux 9.2 and 9.6 FIPS variants). KernelCare-subscribed servers running these versions receive the fix automatically on the next kcarectl --update.

Patches for CL10 and CloudLinux for Ubuntu 22.04 (Jammy) are now available in the testing feed. Apply immediately with kcarectl --update --prefix test

CloudLinux is aware of the CIFSwitch vulnerability and is tracking mitigation, kernel update, and KernelCare livepatch availability in the official advisory:

CIFSwitch (cifs.spnego LPE): Mitigation and Kernel Update on CloudLinux

Use the advisory as the source of truth for:

  • affected CloudLinux versions
  • exposure-check commands
  • temporary mitigation options
  • kernel update instructions
  • KernelCare livepatch status
  • verification steps after patching or livepatching

A non-zero user.max_user_namespaces value alone does not confirm that the server is vulnerable. According to the advisory, exposure depends on the full set of required conditions, including whether cifs-utils is installed and whether unprivileged user namespaces are permitted.

Cause

CIFSwitch is a local privilege escalation vulnerability in the Linux kernel CIFS / SMB client's SPNEGO upcall path. The issue is reachable when the server has cifs-utils installed and unprivileged user namespaces are permitted.

The vulnerability is related to missing validation of cifs.spnego key requests. As a result, the system may trust a forged userspace request as if it originated from the kernel CIFS subsystem.

Useful links

Comments

0 comments

Please sign in to leave a comment.

Related articles