macOS SMBClient Vulnerability Allows Remote Code Execution and Kernel Crash
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Multiple vulnerabilities in macOS SMBClient that could allow attackers to execute arbitrary code remotely and crash systems.
The vulnerabilities affecting the SMB filesystem client used for mounting remote file shares represent a significant security risk, as SMB has been the preferred file sharing protocol since macOS Big Sur.
Two of the flaws have been assigned CVE identifiers (CVE-2025-24269 and CVE-2025-24235), while the third remains unassigned.
Key Takeaways
1. Three critical vulnerabilities discovered in macOS SMBClient with CVE-2025-24269 and CVE-2025-24235 assigned.
2. Remote code execution possible through kernel heap overflow in SMB2 compression handling, allowing system compromise.
3. Authentication bypass and privilege escalation flaws enable memory corruption and unauthorized process termination, including system crashes.
4. Apple patches released with input validation fixes and access controls; users should update immediately and disable SMB services as mitigation.
Remote Kernel Heap Overflow
The most severe vulnerability, tracked as CVE-2025-24269, exists in the smb2_rq_decompress_read function within the smbfs.kext kernel extension.
The flaw occurs when processing compressed SMB2 data using chained compression algorithms, including SMB2_COMPRESSION_LZNT1, SMB2_COMPRESSION_LZ77, and SMB2_COMPRESSION_LZ77_HUFFMAN.
The vulnerability stems from insufficient validation of the compress_len parameter read from network data.
When the compression path is taken, the system fails to validate this length before performing a memory copy operation using md_get_mem and MB_MSYSTEM, which translates to a bcopy operation into compress_startp.
This creates a heap memory overflow condition where attackers can control both the overflow quantity and influence the size of the allocated memory being corrupted, potentially up to 32MB (2*kDefaultMaxIOSize).
The overflow occurs in buffers allocated via the SMB_MALLOC_DATA macro, which wraps kalloc_data, placing the corrupted memory in the xnu data heap.
The flaw has been fixed with comprehensive validation of the compress_len parameter before memory copy operations.
Kerberos Authentication Vulnerability
The second critical vulnerability, CVE-2025-24235, affects the Kerberos Helper component used during SMB session establishment.
The flaw resides in the _KRBDecodeNegTokenInit function, where a NegotiationToken union is declared on the stack but never properly initialized.
When the gss_decapsulate_token function fails during authentication, the code jumps to the free_negtoken_3 label, bypassing the initialization logic for the NegotiationToken structure.
This leads to _free_NegotiationToken being called on uninitialized memory, which ultimately invokes _asn1_free() using the uninitialized token type as a template to parse and free the garbage data.
This vulnerability can be triggered remotely through SMB URL handlers or the mount_smbfs command, potentially resulting in remote code execution.
The flaw has been addressed by implementing proper memory initialization using memset() before the NegotiationToken is used.
Local Privilege Escalation
The third vulnerability involves the SMBIOC_UPDATE_NOTIFIER_PID ioctl in the smbfs kernel module, which lacks proper permission checks.
This flaw allows any unprivileged process to register arbitrary process IDs with the kernel’s multichannel SMB notification system.
When an SMB filesystem unmounts, the kernel sends a SIGTERM signal to the registered PID using proc_signal().
Since there’s no verification that the calling process has permission to signal the target process, attackers can effectively send SIGTERM to any process on the system, including critical system processes like launchd, causing immediate system crashes.
For this privilege escalation flaw involving SMBIOC_UPDATE_NOTIFIER_PID, Apple has implemented entitlement-based access controls.
Security researchers Dave G. and Alex Radocea have been credited for disclosing three critical vulnerabilities in macOS SMBClient
Disabling SMB file sharing services reduces the attack surface by preventing remote connections to vulnerable SMB implementations.
Security experts recommend applying the patches immediately through macOS system updates.Organizations should prioritize testing and deployment of these fixes, particularly in environments with high SMB usage.
Regular security audits should verify that SMB configurations follow the principle of least privilege, with unnecessary services disabled.
#Cyber_Security #Cyber_Security_News #macOS #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
macOS SMBClient Vulnerability Allows Remote Code Execution and Kernel Crash
Author: Guru BaranMultiple vulnerabilities in macOS SMBClient that could allow attackers to execute arbitrary code remotely and crash systems.
The vulnerabilities affecting the SMB filesystem client used for mounting remote file shares represent a significant security risk, as SMB has been the preferred file sharing protocol since macOS Big Sur.
Two of the flaws have been assigned CVE identifiers (CVE-2025-24269 and CVE-2025-24235), while the third remains unassigned.
Key Takeaways
1. Three critical vulnerabilities discovered in macOS SMBClient with CVE-2025-24269 and CVE-2025-24235 assigned.
2. Remote code execution possible through kernel heap overflow in SMB2 compression handling, allowing system compromise.
3. Authentication bypass and privilege escalation flaws enable memory corruption and unauthorized process termination, including system crashes.
4. Apple patches released with input validation fixes and access controls; users should update immediately and disable SMB services as mitigation.
Remote Kernel Heap Overflow
The most severe vulnerability, tracked as CVE-2025-24269, exists in the smb2_rq_decompress_read function within the smbfs.kext kernel extension.
The flaw occurs when processing compressed SMB2 data using chained compression algorithms, including SMB2_COMPRESSION_LZNT1, SMB2_COMPRESSION_LZ77, and SMB2_COMPRESSION_LZ77_HUFFMAN.
The vulnerability stems from insufficient validation of the compress_len parameter read from network data.
When the compression path is taken, the system fails to validate this length before performing a memory copy operation using md_get_mem and MB_MSYSTEM, which translates to a bcopy operation into compress_startp.
This creates a heap memory overflow condition where attackers can control both the overflow quantity and influence the size of the allocated memory being corrupted, potentially up to 32MB (2*kDefaultMaxIOSize).
The overflow occurs in buffers allocated via the SMB_MALLOC_DATA macro, which wraps kalloc_data, placing the corrupted memory in the xnu data heap.
The flaw has been fixed with comprehensive validation of the compress_len parameter before memory copy operations.
Kerberos Authentication Vulnerability
The second critical vulnerability, CVE-2025-24235, affects the Kerberos Helper component used during SMB session establishment.
The flaw resides in the _KRBDecodeNegTokenInit function, where a NegotiationToken union is declared on the stack but never properly initialized.
When the gss_decapsulate_token function fails during authentication, the code jumps to the free_negtoken_3 label, bypassing the initialization logic for the NegotiationToken structure.
This leads to _free_NegotiationToken being called on uninitialized memory, which ultimately invokes _asn1_free() using the uninitialized token type as a template to parse and free the garbage data.
This vulnerability can be triggered remotely through SMB URL handlers or the mount_smbfs command, potentially resulting in remote code execution.
The flaw has been addressed by implementing proper memory initialization using memset() before the NegotiationToken is used.
Local Privilege Escalation
The third vulnerability involves the SMBIOC_UPDATE_NOTIFIER_PID ioctl in the smbfs kernel module, which lacks proper permission checks.
This flaw allows any unprivileged process to register arbitrary process IDs with the kernel’s multichannel SMB notification system.
When an SMB filesystem unmounts, the kernel sends a SIGTERM signal to the registered PID using proc_signal().
Since there’s no verification that the calling process has permission to signal the target process, attackers can effectively send SIGTERM to any process on the system, including critical system processes like launchd, causing immediate system crashes.
For this privilege escalation flaw involving SMBIOC_UPDATE_NOTIFIER_PID, Apple has implemented entitlement-based access controls.
Security researchers Dave G. and Alex Radocea have been credited for disclosing three critical vulnerabilities in macOS SMBClient
Disabling SMB file sharing services reduces the attack surface by preventing remote connections to vulnerable SMB implementations.
Security experts recommend applying the patches immediately through macOS system updates.Organizations should prioritize testing and deployment of these fixes, particularly in environments with high SMB usage.
Regular security audits should verify that SMB configurations follow the principle of least privilege, with unnecessary services disabled.
#Cyber_Security #Cyber_Security_News #macOS #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
