[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache

Matthew Ruffell 2099914 at bugs.launchpad.net
Wed Apr 9 02:27:08 UTC 2025 

** Summary changed:

- cifs.upcall program in cifs-utils package incorrectly makes an upcall to different namespace in case of container environments
+ CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache

** Description changed:

- In some cases, the cifs.upcall program from the cifs-utils package makes
- an upcall to the wrong namespace in containerized environments.
+ BugLink: https://bugs.launchpad.net/bugs/2099914
+ 
+ [Impact]
+ 
+ This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to
+ disclosing sensitive data from the host or container Kerberos credentials cache
+ by accessing the wrong credential cache that doesn't belong to the current user.
  
  Consider the following scenario:
  
  A CIFS/SMB file share is mounted on a host node using Kerberos
  authentication.
  
- During the session setup phase, the Linux kernel's cifs.ko module makes
- an upcall to user space to retrieve the Kerberos service ticket from the
- credential cache.
+ During the session setup phase, the Linux kernel's cifs.ko module makes an
+ upcall to user space to retrieve the Kerberos service ticket from the credential
+ cache.
  
- In typical (non-container) environments, this process works correctly,
- but in containerized environments, the upcall may be directed to a
- different namespace than intended, leading to issues. For example:
+ In typical (non-container) environments, this process works correctly, but in
+ containerized environments, the upcall may be directed to a different namespace
+ than intended, leading to issues. For example:
  
- a) The file share is mounted on the host node at /mnt/testshare1, meaning the Kerberos credential cache is stored in the host's namespace. 
- b) A Docker container is created, and the file share path /mnt/testshare1 is exported to the container at /sharedpath. 
- c) When the service ticket expires and the SMB connection is lost, before the ticket is refreshed in the credential cache, an application inside the container performs a file operation. This triggers the kernel to attempt a session reconnect.
- d) During the session setup, a Kerberos ticket is needed, so the kernel invokes the cifs.upcall binary using the request_key function. However, cifs.upcall switches to the namespace of the caller (i.e., the container), causing it to attempt to read the credential cache from the container's namespace. But since the original mount happened in the host namespace, the credential cache is located on the host, not in the container. This results in the upcall failing to access the correct credential cache or accessinng credential cache which doesn't belong to correct user.
+ a) The file share is mounted on the host node at /mnt/testshare1, meaning the 
+ Kerberos credential cache is stored in the host's namespace.
+ b) A Docker container is created, and the file share path /mnt/testshare1 is
+ exported to the container at /sharedpath.
+ c) When the service ticket expires and the SMB connection is lost, before the
+ ticket is refreshed in the credential cache, an application inside the container
+ performs a file operation. This triggers the kernel to attempt a session
+ reconnect.
+ d) During the session setup, a Kerberos ticket is needed, so the kernel invokes
+ the cifs.upcall binary using the request_key function. However, cifs.upcall
+ switches to the namespace of the caller (i.e., the container), causing it to
+ attempt to read the credential cache from the container's namespace. But since
+ the original mount happened in the host namespace, the credential cache is
+ located on the host, not in the container. This results in the upcall failing
+ to access the correct credential cache or accessinng credential cache which
+ doesn't belong to correct user.
+ 
+ [Fix]
+ 
+ The fix adds a "upcall_target" mount parameter that needs to be present in both
+ the kernel and cifs-utils. "upcall_target" specifies what namespace to find the
+ kerberos credential cache, and takes options "mount" being the host namespace,
+ or "app", being the container namespace. The language is intended to suit
+ Kubernetes based usecases.
+ 
+ The kernel requires the following commit:
+ 
+ commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
+ Author: Ritvik Budhiraja <rbudhiraja at microsoft.com>
+ Date:  Mon Nov 11 11:43:51 2024 +0000
+ Subject: CIFS: New mount option for cifs.upcall namespace resolution
+ Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
+ 
+ This landed in 6.13 mainline, and is already in plucky. Oracular is a clean
+ cherry pick, noble and jammy requires a context adjustment backport and focal
+ needed a heavy backport.
+ 
+ Test packages are available in the following ppa:
+ 
+ <>
+ 
+ In addition, a userspace fix is also needed in cifs-utils, with the following
+ commits:
+ 
+ commit 89b679228cc1be9739d54203d28289b03352c174
+ From: Ritvik Budhiraja <rbudhiraja at microsoft.com>
+ Date: Tue, 19 Nov 2024 06:07:58 +0000
+ Subject: CIFS.upcall to accomodate new namespace mount opt
+ Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174
+ 
+ commit cf63240489431e98033e599a7c9437b59494a2e4
+ From: Ritvik Budhiraja <rbudhiraja at microsoft.com>
+ Date: Thu, 30 Jan 2025 14:13:10 +0000
+ Subject: cifs-utils: add documentation for upcall_target
+ Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4
+ 
+ These were a part of 7.2 upstream. Plucky already has this release, so we just
+ need to fix oracular, noble, jammy and focal.
+ 
+ Test packages are available in the following ppa:
+ 
+ https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test
+ 
+ If you install the test packages, you can now use the upcall_target argument
+ with either "mount" or "app" options.
+ 
+ [Testcase]
+ 
+ Deploy a fresh VM.
  
  
- It fixed here:
- https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174
  
- Documentation: https://git.samba.org/?p=cifs-
- utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4
+ [Where problems can occur]
+ 
+ We are adding a new mount option to cifs in both the kernel and in cifs-
+ utils.
+ 
+ Existing cifs-utils packages need to not break when making upcalls to kernels
+ that have this new upcall_target option, and existing kernels need to not break
+ when using new cifs-utils packages that set upcall_target without the necessary
+ in kernel support.
+ 
+ We need to be careful to test three scenarios:
+ * patched kernel, patched cifs-utils
+ * patched kernel, existing cifs-utils
+ * existing kernel, patched cifs-utils
+ 
+ If a regression were to occur, it could affect mounting of cifs / smb shares and
+ users would not be able to access their data.
+ 
+ Additionally, if a regression were to occur, we could also further confuse what
+ namespace is to be used for accessing the user's kerberos credentials cache,
+ which could disclose data from the host or container namespace to the incorrect
+ namespace.
+ 
+ [Other info]
+ 
+ CVE-2025-2312
+ https://ubuntu.com/security/CVE-2025-2312
+ https://nvd.nist.gov/vuln/detail/CVE-2025-2312

** Changed in: linux (Ubuntu Focal)
     Assignee: Matthew Ruffell (mruffell) => Vinicius Peixoto (vpeixoto)

** Changed in: linux (Ubuntu Jammy)
     Assignee: Matthew Ruffell (mruffell) => Vinicius Peixoto (vpeixoto)

** Changed in: linux (Ubuntu Noble)
     Assignee: Matthew Ruffell (mruffell) => Vinicius Peixoto (vpeixoto)

** Changed in: linux (Ubuntu Oracular)
     Assignee: Matthew Ruffell (mruffell) => Vinicius Peixoto (vpeixoto)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2099914

Title:
  CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials
  cache

Status in cifs-utils package in Ubuntu:
  Fix Released
Status in linux package in Ubuntu:
  Fix Released
Status in cifs-utils source package in Focal:
  In Progress
Status in linux source package in Focal:
  In Progress
Status in cifs-utils source package in Jammy:
  In Progress
Status in linux source package in Jammy:
  In Progress
Status in cifs-utils source package in Noble:
  In Progress
Status in linux source package in Noble:
  In Progress
Status in cifs-utils source package in Oracular:
  In Progress
Status in linux source package in Oracular:
  In Progress
Status in cifs-utils source package in Plucky:
  Fix Released
Status in linux source package in Plucky:
  Fix Released

Bug description:
  BugLink: https://bugs.launchpad.net/bugs/2099914

  [Impact]

  This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to
  disclosing sensitive data from the host or container Kerberos credentials cache
  by accessing the wrong credential cache that doesn't belong to the current user.

  Consider the following scenario:

  A CIFS/SMB file share is mounted on a host node using Kerberos
  authentication.

  During the session setup phase, the Linux kernel's cifs.ko module makes an
  upcall to user space to retrieve the Kerberos service ticket from the credential
  cache.

  In typical (non-container) environments, this process works correctly, but in
  containerized environments, the upcall may be directed to a different namespace
  than intended, leading to issues. For example:

  a) The file share is mounted on the host node at /mnt/testshare1, meaning the 
  Kerberos credential cache is stored in the host's namespace.
  b) A Docker container is created, and the file share path /mnt/testshare1 is
  exported to the container at /sharedpath.
  c) When the service ticket expires and the SMB connection is lost, before the
  ticket is refreshed in the credential cache, an application inside the container
  performs a file operation. This triggers the kernel to attempt a session
  reconnect.
  d) During the session setup, a Kerberos ticket is needed, so the kernel invokes
  the cifs.upcall binary using the request_key function. However, cifs.upcall
  switches to the namespace of the caller (i.e., the container), causing it to
  attempt to read the credential cache from the container's namespace. But since
  the original mount happened in the host namespace, the credential cache is
  located on the host, not in the container. This results in the upcall failing
  to access the correct credential cache or accessinng credential cache which
  doesn't belong to correct user.

  [Fix]

  The fix adds a "upcall_target" mount parameter that needs to be present in both
  the kernel and cifs-utils. "upcall_target" specifies what namespace to find the
  kerberos credential cache, and takes options "mount" being the host namespace,
  or "app", being the container namespace. The language is intended to suit
  Kubernetes based usecases.

  The kernel requires the following commit:

  commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
  Author: Ritvik Budhiraja <rbudhiraja at microsoft.com>
  Date:  Mon Nov 11 11:43:51 2024 +0000
  Subject: CIFS: New mount option for cifs.upcall namespace resolution
  Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf

  This landed in 6.13 mainline, and is already in plucky. Oracular is a clean
  cherry pick, noble and jammy requires a context adjustment backport and focal
  needed a heavy backport.

  Test packages are available in the following ppa:

  <>

  In addition, a userspace fix is also needed in cifs-utils, with the following
  commits:

  commit 89b679228cc1be9739d54203d28289b03352c174
  From: Ritvik Budhiraja <rbudhiraja at microsoft.com>
  Date: Tue, 19 Nov 2024 06:07:58 +0000
  Subject: CIFS.upcall to accomodate new namespace mount opt
  Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174

  commit cf63240489431e98033e599a7c9437b59494a2e4
  From: Ritvik Budhiraja <rbudhiraja at microsoft.com>
  Date: Thu, 30 Jan 2025 14:13:10 +0000
  Subject: cifs-utils: add documentation for upcall_target
  Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4

  These were a part of 7.2 upstream. Plucky already has this release, so we just
  need to fix oracular, noble, jammy and focal.

  Test packages are available in the following ppa:

  https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test

  If you install the test packages, you can now use the upcall_target argument
  with either "mount" or "app" options.

  [Testcase]

  Deploy a fresh VM.


  
  [Where problems can occur]

  We are adding a new mount option to cifs in both the kernel and in
  cifs-utils.

  Existing cifs-utils packages need to not break when making upcalls to kernels
  that have this new upcall_target option, and existing kernels need to not break
  when using new cifs-utils packages that set upcall_target without the necessary
  in kernel support.

  We need to be careful to test three scenarios:
  * patched kernel, patched cifs-utils
  * patched kernel, existing cifs-utils
  * existing kernel, patched cifs-utils

  If a regression were to occur, it could affect mounting of cifs / smb shares and
  users would not be able to access their data.

  Additionally, if a regression were to occur, we could also further confuse what
  namespace is to be used for accessing the user's kerberos credentials cache,
  which could disclose data from the host or container namespace to the incorrect
  namespace.

  [Other info]

  CVE-2025-2312
  https://ubuntu.com/security/CVE-2025-2312
  https://nvd.nist.gov/vuln/detail/CVE-2025-2312

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions

More information about the foundations-bugs mailing list