CIFSwitch: A non-universal Linux local root vulnerability (heyitsas.im)

A new vulnerability identified as CIFSwitch has been discovered in specific Linux distributions, allowing local privilege escalation (LPE) via an exploit rooted in the CIFS (Common Internet File System) kernel module. Researchers utilized large language models (LLMs) to improve the multihop reasoning capabilities essential for uncovering this vulnerability by reconstructing higher-level abstractions in kernel and userspace interactions. The flaw arises from the kernel's inability to validate the origin of the cifs.spnego key object, enabling an attacker to issue malicious key descriptions that could lead to unauthorized root access. The significance of CIFSwitch lies in its demonstration of how LLMs can enhance the process of vulnerability discovery, showcasing a promising approach that merges machine learning with traditional security practices. The vulnerability impacts various Linux distributions using certain versions of cifs-utils, with a workaround required to mitigate risks. The fix involves patching the kernel to ensure descriptions are validated, but users are advised to implement additional security measures, such as disabling unprivileged user namespaces and modifying request-key rules to bolster defenses against potential explotations.