** Description changed: BugLink: https://bugs.launchpad.net/bugs/2099914 [Impact] This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to disclosing sensitive data from the host or container Kerberos credentials cache by accessing the wrong credential cache that doesn't belong to the current user. Consider the following scenario: A CIFS/SMB file share is mounted on a host node using Kerberos authentication. During the session setup phase, the Linux kernel's cifs.ko module makes an upcall to user space to retrieve the Kerberos service ticket from the credential cache. In typical (non-container) environments, this process works correctly, but in containerized environments, the upcall may be directed to a different namespace than intended, leading to issues. For example: a) The file share is mounted on the host node at /mnt/testshare1, meaning the Kerberos credential cache is stored in the host's namespace. b) A Docker container is created, and the file share path /mnt/testshare1 is exported to the container at /sharedpath. c) When the service ticket expires and the SMB connection is lost, before the ticket is refreshed in the credential cache, an application inside the container performs a file operation. This triggers the kernel to attempt a session reconnect. d) During the session setup, a Kerberos ticket is needed, so the kernel invokes the cifs.upcall binary using the request_key function. However, cifs.upcall switches to the namespace of the caller (i.e., the container), causing it to attempt to read the credential cache from the container's namespace. But since the original mount happened in the host namespace, the credential cache is located on the host, not in the container. This results in the upcall failing to access the correct credential cache or accessinng credential cache which doesn't belong to correct user. [Fix] The fix adds a "upcall_target" mount parameter that needs to be present in both the kernel and cifs-utils. "upcall_target" specifies what namespace to find the kerberos credential cache, and takes options "mount" being the host namespace, or "app", being the container namespace. The language is intended to suit Kubernetes based usecases. The kernel requires the following commit: commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf Author: Ritvik Budhiraja <rbudhir...@microsoft.com> Date: Mon Nov 11 11:43:51 2024 +0000 Subject: CIFS: New mount option for cifs.upcall namespace resolution Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf This landed in 6.13 mainline, and is already in plucky. Oracular is a clean cherry pick, noble and jammy requires a context adjustment backport and focal needed a heavy backport. Test packages are available in the following ppa: - <> + <Vinicius test kernel ppa> In addition, a userspace fix is also needed in cifs-utils, with the following commits: commit 89b679228cc1be9739d54203d28289b03352c174 From: Ritvik Budhiraja <rbudhir...@microsoft.com> Date: Tue, 19 Nov 2024 06:07:58 +0000 Subject: CIFS.upcall to accomodate new namespace mount opt Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174 commit cf63240489431e98033e599a7c9437b59494a2e4 From: Ritvik Budhiraja <rbudhir...@microsoft.com> Date: Thu, 30 Jan 2025 14:13:10 +0000 Subject: cifs-utils: add documentation for upcall_target Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4 These were a part of 7.2 upstream. Plucky already has this release, so we just need to fix oracular, noble, jammy and focal. Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test If you install the test packages, you can now use the upcall_target argument with either "mount" or "app" options. [Testcase] - Deploy a fresh VM. - - + Some knowledge of kerberos will go a long way to help you make this all + work. + + We should be able to do all testing on the same VM. + + 1) Create a fresh VM + 2) sudo apt update + 3) sudo apt upgrade + 4) sudo hostnamectl set-hostname samba-dc + 5) sudo vim /etc/hosts + Add an entry with its IP address, e.g.: + 192.168.122.124 samba-dc samba-dc.example.com + 6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils + Note: skip config of kerberos KDC. + 7) sudo rm /etc/krb5.conf + 8) sudo rm /etc/samba/smb.conf + 9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1 + 10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf + 11) sudo systemctl mask smbd nmbd winbind + 12) sudo systemctl disable smbd nmbd winbind + 13) sudo systemctl stop smbd nmbd winbind + 14) sudo systemctl unmask samba-ad-dc + 15) sudo systemctl start samba-ad-dc + 16) sudo systemctl enable samba-ad-dc + 17) sudo reboot + 18) sudo systemctl stop systemd-resolved + 19) sudo systemctl disable systemd-resolved + 20) cat << EOF >> /etc/resolv.conf + nameserver 192.168.122.124 + search SAMBA + EOF + 21) sudo reboot + 22) host -t SRV _ldap._tcp.samba-dc.example.com + _ldap._tcp.samba-dc.example.com has SRV record 0 100 389 samba-dc.samba-dc.example.com. + 23) $ smbclient -L localhost -N + Anonymous login successful + + Sharename Type Comment + --------- ---- ------- + sysvol Disk + netlogon Disk + IPC$ IPC IPC Service (Samba 4.13.17-Ubuntu) + SMB1 disabled -- no workgroup available + 24) $ smbclient //localhost/netlogon -UAdministrator -c 'ls' + Enter SAMBA\Administrator's password: + . D 0 Mon Feb 28 04:23:22 2022 + .. D 0 Mon Feb 28 04:23:27 2022 + + 9983232 blocks of size 1024. 7995324 blocks available + 25) kinit administrator + Password for administra...@samba-dc.example.com: + Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025 + 26) klist + Ticket cache: FILE:/tmp/krb5cc_1000 + Default principal: administra...@samba-dc.example.com + + Valid starting Expires Service principal + 04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/samba-dc.example....@samba-dc.example.com + renew until 04/10/25 02:53:22 + 27) Create a share: + 28) sudo mkdir -p /srv/samba/Demo/ + 29) sudo vim /etc/samba/smb.conf + [Demo] + path = /srv/samba/Demo/ + read only = no + 30) sudo chmod 0770 /srv/samba/Demo/ + 31) smbclient -U Administrator //samba-dc.example.com/demo + Password for [SAMBA\Administrator]: + Try "help" to get a list of possible commands. + smb: \> + 32) smbclient -U Administrator --use-krb5-ccache=/tmp/krb5cc_1000 //samba-dc.example.com/demo + Try "help" to get a list of possible commands. + smb: \> + 33) klist + Ticket cache: FILE:/tmp/krb5cc_1000 + Default principal: administra...@samba-dc.example.com + + Valid starting Expires Service principal + 04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/samba-dc.example....@samba-dc.example.com + renew until 04/10/25 02:53:22 + 04/09/25 02:58:16 04/09/25 12:53:27 cifs/samba-dc.example....@example.com + renew until 04/10/25 02:53:22 + Ticket server: cifs/samba-dc.example....@samba-dc.example.com + 04/09/25 02:58:16 04/09/25 12:53:27 cifs/samba-dc.example....@samba-dc.example.com + renew until 04/10/25 02:53:22 + 34) sudo -s + 35) # kinit administra...@samba-dc.example.com + Password for administra...@samba-dc.example.com: + Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025 + # klist + Ticket cache: FILE:/tmp/krb5cc_0 + Default principal: administra...@samba-dc.example.com + + Valid starting Expires Service principal + 04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/samba-dc.example....@samba-dc.example.com + renew until 04/10/25 03:26:06 + 36) # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 + 37) # klist + Ticket cache: FILE:/tmp/krb5cc_0 + Default principal: administra...@samba-dc.example.com + + Valid starting Expires Service principal + 04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/samba-dc.example....@samba-dc.example.com + renew until 04/10/25 03:26:06 + 04/09/25 03:30:26 04/09/25 13:26:10 cifs/samba-dc.example.com@ + renew until 04/10/25 03:26:06 + Ticket server: cifs/samba-dc.example....@samba-dc.example.com + 38) journalctl + kernel: netfs: FS-Cache loaded + kernel: Key type cifs.spnego registered + kernel: Key type cifs.idmap registered + kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). T> + kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified + kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified + kernel: CIFS: Attempting to mount //samba-dc.example.com/demo + cifs.upcall[1805]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6ee + cifs.upcall[1806]: ver=2 + cifs.upcall[1806]: host=samba-dc.example.com + cifs.upcall[1806]: ip=192.168.122.124 + cifs.upcall[1806]: sec=1 + cifs.upcall[1806]: uid=0 + cifs.upcall[1806]: creduid=0 + cifs.upcall[1806]: user=root + cifs.upcall[1806]: pid=1774 + cifs.upcall[1805]: get_cachename_from_process_env: pid == 0 + cifs.upcall[1805]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 + cifs.upcall[1805]: handle_krb5_mech: getting service ticket for samba-dc.example.com + cifs.upcall[1805]: handle_krb5_mech: using native krb5 + cifs.upcall[1805]: handle_krb5_mech: obtained service ticket + cifs.upcall[1805]: Exit status 0 + + Take note of the line: + get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 + + 39) # stat /mnt/testshare1 + File: /mnt/testshare1 + Size: 0 Blocks: 0 IO Block: 1048576 directory + Device: 0,41 Inode: 297860 Links: 2 + Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) + Access: 2025-04-09 02:54:45.264000000 +0000 + Modify: 2025-04-09 02:54:45.264000000 +0000 + Change: 2025-04-09 02:54:45.264000000 +0000 + Birth: 2025-04-09 02:54:45.264000000 +0000 + 40) sudo apt install docker.io + 41) docker pull ubuntu:24.04 + 42) docker run -it -v /mnt/testshare1:/mnt/shared --name cifstest ubuntu:24.04 /bin/bash + 43) root@685c7e420afc:/# stat /mnt/shared + File: /mnt/shared + Size: 0 Blocks: 0 IO Block: 1048576 directory + Device: 0,41 Inode: 297860 Links: 2 + Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) + Access: 2025-04-09 02:54:45.264000000 +0000 + Modify: 2025-04-09 02:54:45.264000000 +0000 + Change: 2025-04-09 02:54:45.264000000 +0000 + Birth: 2025-04-09 02:54:45.264000000 +0000 + root@685c7e420afc:/# ls /mnt/shared + 44) root@685c7e420afc:/# apt install krb5-user + 45) root@685c7e420afc:/# vim /etc/krb5.conf + Edit default_cache_name to /tmp/krb5cc_000 save and exit. + 46) Back on the host in root: + # kdestory + # umount /mnt/testshare1 + 47) Back in the container: + root@685c7e420afc:/# stat /mnt/shared + 48) Back on the host in root: + # journalctl + CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed + CIFS: VFS: //samba-dc.example.com/demo Send error in SessSetup = -126 + cifs.upcall[1805]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6ee + cifs.upcall[1806]: ver=2 + cifs.upcall[1806]: host=samba-dc.example.com + cifs.upcall[1806]: ip=192.168.122.124 + cifs.upcall[1806]: sec=1 + cifs.upcall[1806]: uid=0 + cifs.upcall[1806]: creduid=0 + cifs.upcall[1806]: user=root + cifs.upcall[1806]: pid=2162 + cifs.upcall[1805]: get_cachename_from_process_env: pid == 0 + cifs.upcall[1805]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000 + check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_000) + cifs.upcall: get_tgt_time: unable to get principal + cifs.upcall: main: valid TGT is not present in credential cache + cifs.upcall: krb5_parse_name: -1765328160 + cifs.upcall[1805]: handle_krb5_mech: getting service ticket for samba-dc.example.com + cifs.upcall[1805]: handle_krb5_mech: using native krb5 + + Note that it now tries to read /tmp/krb5cc_000 from container namespace instead + of /tmp/krb5cc_0 from host namespace. + + If you install the test packages from the following ppas: + + <Vinicius test kernel ppa> + https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test + + When you initially mount the cifs filesystem, use the new mount option + upcall_target=mount. + + # mount -t cifs -o + cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=mount + //samba-dc.example.com/demo /mnt/testshare1 + + Repeat the testcase. When we disconnect the cifs connection and try stat inside + the container, the kerberos crediental cache should be /tmp/krb5cc_0 in the + host namespace. + + get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 [Where problems can occur] We are adding a new mount option to cifs in both the kernel and in cifs- utils. Existing cifs-utils packages need to not break when making upcalls to kernels that have this new upcall_target option, and existing kernels need to not break when using new cifs-utils packages that set upcall_target without the necessary in kernel support. We need to be careful to test three scenarios: * patched kernel, patched cifs-utils * patched kernel, existing cifs-utils * existing kernel, patched cifs-utils If a regression were to occur, it could affect mounting of cifs / smb shares and users would not be able to access their data. Additionally, if a regression were to occur, we could also further confuse what namespace is to be used for accessing the user's kerberos credentials cache, which could disclose data from the host or container namespace to the incorrect namespace. [Other info] CVE-2025-2312 https://ubuntu.com/security/CVE-2025-2312 https://nvd.nist.gov/vuln/detail/CVE-2025-2312
** Tags added: sts -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
