** Summary changed: - cifs.upcall program in cifs-utils package incorrectly makes an upcall to different namespace in case of container environments + CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
** Description changed: - In some cases, the cifs.upcall program from the cifs-utils package makes - an upcall to the wrong namespace in containerized environments. + BugLink: https://bugs.launchpad.net/bugs/2099914 + + [Impact] + + This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to + disclosing sensitive data from the host or container Kerberos credentials cache + by accessing the wrong credential cache that doesn't belong to the current user. Consider the following scenario: A CIFS/SMB file share is mounted on a host node using Kerberos authentication. - During the session setup phase, the Linux kernel's cifs.ko module makes - an upcall to user space to retrieve the Kerberos service ticket from the - credential cache. + During the session setup phase, the Linux kernel's cifs.ko module makes an + upcall to user space to retrieve the Kerberos service ticket from the credential + cache. - In typical (non-container) environments, this process works correctly, - but in containerized environments, the upcall may be directed to a - different namespace than intended, leading to issues. For example: + In typical (non-container) environments, this process works correctly, but in + containerized environments, the upcall may be directed to a different namespace + than intended, leading to issues. For example: - a) The file share is mounted on the host node at /mnt/testshare1, meaning the Kerberos credential cache is stored in the host's namespace. - b) A Docker container is created, and the file share path /mnt/testshare1 is exported to the container at /sharedpath. - c) When the service ticket expires and the SMB connection is lost, before the ticket is refreshed in the credential cache, an application inside the container performs a file operation. This triggers the kernel to attempt a session reconnect. - d) During the session setup, a Kerberos ticket is needed, so the kernel invokes the cifs.upcall binary using the request_key function. However, cifs.upcall switches to the namespace of the caller (i.e., the container), causing it to attempt to read the credential cache from the container's namespace. But since the original mount happened in the host namespace, the credential cache is located on the host, not in the container. This results in the upcall failing to access the correct credential cache or accessinng credential cache which doesn't belong to correct user. + a) The file share is mounted on the host node at /mnt/testshare1, meaning the + Kerberos credential cache is stored in the host's namespace. + b) A Docker container is created, and the file share path /mnt/testshare1 is + exported to the container at /sharedpath. + c) When the service ticket expires and the SMB connection is lost, before the + ticket is refreshed in the credential cache, an application inside the container + performs a file operation. This triggers the kernel to attempt a session + reconnect. + d) During the session setup, a Kerberos ticket is needed, so the kernel invokes + the cifs.upcall binary using the request_key function. However, cifs.upcall + switches to the namespace of the caller (i.e., the container), causing it to + attempt to read the credential cache from the container's namespace. But since + the original mount happened in the host namespace, the credential cache is + located on the host, not in the container. This results in the upcall failing + to access the correct credential cache or accessinng credential cache which + doesn't belong to correct user. + + [Fix] + + The fix adds a "upcall_target" mount parameter that needs to be present in both + the kernel and cifs-utils. "upcall_target" specifies what namespace to find the + kerberos credential cache, and takes options "mount" being the host namespace, + or "app", being the container namespace. The language is intended to suit + Kubernetes based usecases. + + The kernel requires the following commit: + + commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf + Author: Ritvik Budhiraja <rbudhir...@microsoft.com> + Date: Mon Nov 11 11:43:51 2024 +0000 + Subject: CIFS: New mount option for cifs.upcall namespace resolution + Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf + + This landed in 6.13 mainline, and is already in plucky. Oracular is a clean + cherry pick, noble and jammy requires a context adjustment backport and focal + needed a heavy backport. + + Test packages are available in the following ppa: + + <> + + In addition, a userspace fix is also needed in cifs-utils, with the following + commits: + + commit 89b679228cc1be9739d54203d28289b03352c174 + From: Ritvik Budhiraja <rbudhir...@microsoft.com> + Date: Tue, 19 Nov 2024 06:07:58 +0000 + Subject: CIFS.upcall to accomodate new namespace mount opt + Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174 + + commit cf63240489431e98033e599a7c9437b59494a2e4 + From: Ritvik Budhiraja <rbudhir...@microsoft.com> + Date: Thu, 30 Jan 2025 14:13:10 +0000 + Subject: cifs-utils: add documentation for upcall_target + Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4 + + These were a part of 7.2 upstream. Plucky already has this release, so we just + need to fix oracular, noble, jammy and focal. + + Test packages are available in the following ppa: + + https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test + + If you install the test packages, you can now use the upcall_target argument + with either "mount" or "app" options. + + [Testcase] + + Deploy a fresh VM. - It fixed here: - https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174 - Documentation: https://git.samba.org/?p=cifs- - utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4 + [Where problems can occur] + + We are adding a new mount option to cifs in both the kernel and in cifs- + utils. + + Existing cifs-utils packages need to not break when making upcalls to kernels + that have this new upcall_target option, and existing kernels need to not break + when using new cifs-utils packages that set upcall_target without the necessary + in kernel support. + + We need to be careful to test three scenarios: + * patched kernel, patched cifs-utils + * patched kernel, existing cifs-utils + * existing kernel, patched cifs-utils + + If a regression were to occur, it could affect mounting of cifs / smb shares and + users would not be able to access their data. + + Additionally, if a regression were to occur, we could also further confuse what + namespace is to be used for accessing the user's kerberos credentials cache, + which could disclose data from the host or container namespace to the incorrect + namespace. + + [Other info] + + CVE-2025-2312 + https://ubuntu.com/security/CVE-2025-2312 + https://nvd.nist.gov/vuln/detail/CVE-2025-2312 ** Changed in: linux (Ubuntu Focal) Assignee: Matthew Ruffell (mruffell) => Vinicius Peixoto (vpeixoto) ** Changed in: linux (Ubuntu Jammy) Assignee: Matthew Ruffell (mruffell) => Vinicius Peixoto (vpeixoto) ** Changed in: linux (Ubuntu Noble) Assignee: Matthew Ruffell (mruffell) => Vinicius Peixoto (vpeixoto) ** Changed in: linux (Ubuntu Oracular) Assignee: Matthew Ruffell (mruffell) => Vinicius Peixoto (vpeixoto) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache Status in cifs-utils package in Ubuntu: Fix Released Status in linux package in Ubuntu: Fix Released Status in cifs-utils source package in Focal: In Progress Status in linux source package in Focal: In Progress Status in cifs-utils source package in Jammy: In Progress Status in linux source package in Jammy: In Progress Status in cifs-utils source package in Noble: In Progress Status in linux source package in Noble: In Progress Status in cifs-utils source package in Oracular: In Progress Status in linux source package in Oracular: In Progress Status in cifs-utils source package in Plucky: Fix Released Status in linux source package in Plucky: Fix Released Bug description: BugLink: https://bugs.launchpad.net/bugs/2099914 [Impact] This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to disclosing sensitive data from the host or container Kerberos credentials cache by accessing the wrong credential cache that doesn't belong to the current user. Consider the following scenario: A CIFS/SMB file share is mounted on a host node using Kerberos authentication. During the session setup phase, the Linux kernel's cifs.ko module makes an upcall to user space to retrieve the Kerberos service ticket from the credential cache. In typical (non-container) environments, this process works correctly, but in containerized environments, the upcall may be directed to a different namespace than intended, leading to issues. For example: a) The file share is mounted on the host node at /mnt/testshare1, meaning the Kerberos credential cache is stored in the host's namespace. b) A Docker container is created, and the file share path /mnt/testshare1 is exported to the container at /sharedpath. c) When the service ticket expires and the SMB connection is lost, before the ticket is refreshed in the credential cache, an application inside the container performs a file operation. This triggers the kernel to attempt a session reconnect. d) During the session setup, a Kerberos ticket is needed, so the kernel invokes the cifs.upcall binary using the request_key function. However, cifs.upcall switches to the namespace of the caller (i.e., the container), causing it to attempt to read the credential cache from the container's namespace. But since the original mount happened in the host namespace, the credential cache is located on the host, not in the container. This results in the upcall failing to access the correct credential cache or accessinng credential cache which doesn't belong to correct user. [Fix] The fix adds a "upcall_target" mount parameter that needs to be present in both the kernel and cifs-utils. "upcall_target" specifies what namespace to find the kerberos credential cache, and takes options "mount" being the host namespace, or "app", being the container namespace. The language is intended to suit Kubernetes based usecases. The kernel requires the following commit: commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf Author: Ritvik Budhiraja <rbudhir...@microsoft.com> Date: Mon Nov 11 11:43:51 2024 +0000 Subject: CIFS: New mount option for cifs.upcall namespace resolution Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf This landed in 6.13 mainline, and is already in plucky. Oracular is a clean cherry pick, noble and jammy requires a context adjustment backport and focal needed a heavy backport. Test packages are available in the following ppa: <> In addition, a userspace fix is also needed in cifs-utils, with the following commits: commit 89b679228cc1be9739d54203d28289b03352c174 From: Ritvik Budhiraja <rbudhir...@microsoft.com> Date: Tue, 19 Nov 2024 06:07:58 +0000 Subject: CIFS.upcall to accomodate new namespace mount opt Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174 commit cf63240489431e98033e599a7c9437b59494a2e4 From: Ritvik Budhiraja <rbudhir...@microsoft.com> Date: Thu, 30 Jan 2025 14:13:10 +0000 Subject: cifs-utils: add documentation for upcall_target Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4 These were a part of 7.2 upstream. Plucky already has this release, so we just need to fix oracular, noble, jammy and focal. Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test If you install the test packages, you can now use the upcall_target argument with either "mount" or "app" options. [Testcase] Deploy a fresh VM. [Where problems can occur] We are adding a new mount option to cifs in both the kernel and in cifs-utils. Existing cifs-utils packages need to not break when making upcalls to kernels that have this new upcall_target option, and existing kernels need to not break when using new cifs-utils packages that set upcall_target without the necessary in kernel support. We need to be careful to test three scenarios: * patched kernel, patched cifs-utils * patched kernel, existing cifs-utils * existing kernel, patched cifs-utils If a regression were to occur, it could affect mounting of cifs / smb shares and users would not be able to access their data. Additionally, if a regression were to occur, we could also further confuse what namespace is to be used for accessing the user's kerberos credentials cache, which could disclose data from the host or container namespace to the incorrect namespace. [Other info] CVE-2025-2312 https://ubuntu.com/security/CVE-2025-2312 https://nvd.nist.gov/vuln/detail/CVE-2025-2312 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
