CVE-2021-45100 – The ksmbd SMB server in Linux kernels up to 5.1... (How to Fix)

Q: What is the severity of CVE-2021-45100?

CVE-2021-45100 has a CVSS score of 7.5 (HIGH). The ksmbd SMB server in Linux kernels up to 5.15.8 incorrectly sets encryption flags when using SMB 3.1.1, causing Windows 10 clients to disable encryption and forcing communication in cleartext. This affects Linux systems running ksmbd with SMB 3.1.1 enabled and communicating with Windows 10 clients. Attackers on the network can intercept sensitive data that should be encrypted.

📋 TL;DR

The ksmbd SMB server in Linux kernels up to 5.15.8 incorrectly sets encryption flags when using SMB 3.1.1, causing Windows 10 clients to disable encryption and forcing communication in cleartext. This affects Linux systems running ksmbd with SMB 3.1.1 enabled and communicating with Windows 10 clients. Attackers on the network can intercept sensitive data that should be encrypted.

💻 Affected Systems

Products:

ksmbd server
Linux kernel with ksmbd

Versions: ksmbd through 3.4.2, Linux kernel through 5.15.8

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using ksmbd with SMB 3.1.1 protocol and communicating with Windows 10 clients. Other SMB clients may not trigger the encryption disable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full interception of all SMB traffic including authentication credentials, sensitive files, and administrative commands, leading to complete system compromise.

🟠

Likely Case

Interception of file transfers and authentication data when Windows 10 clients connect to vulnerable ksmbd servers, potentially exposing sensitive information.

🟢

If Mitigated

Limited exposure if traffic is isolated on trusted networks or additional encryption layers (like VPNs) are used.

🌐 Internet-Facing: HIGH - Any internet-exposed ksmbd server with Windows 10 clients is vulnerable to traffic interception.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems on the same network can intercept sensitive SMB communications.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to intercept traffic but no authentication. The vulnerability is protocol-level and can be exploited by any network sniffer when conditions are met.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.15.9+ or ksmbd patches from upstream

Vendor Advisory: https://github.com/cifsd-team/ksmbd/pull/551

Restart Required: Yes

Instructions:

1. Update Linux kernel to 5.15.9 or later. 2. Alternatively, apply the ksmbd patch from upstream. 3. Reboot the system to load the patched kernel module.

🔧 Temporary Workarounds

Disable SMB 3.1.1

linux

Force ksmbd to use older SMB protocols that don't trigger the encryption bug with Windows 10

ksmbd.mount -o vers=3.0
Add 'vers=3.0' to mount options in /etc/fstab for ksmbd shares

Use IPsec or VPN

all

Encrypt network traffic at a lower layer to protect SMB communications

🧯 If You Can't Patch

Isolate ksmbd servers to trusted network segments with strict access controls
Use Windows Server or Samba instead of ksmbd for SMB services

🔍 How to Verify

Check if Vulnerable:

Check kernel version with 'uname -r' and verify it's <= 5.15.8. Check if ksmbd is running with 'systemctl status ksmbd' or 'ps aux | grep ksmbd'.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is >= 5.15.9 and ksmbd service is restarted. Test SMB 3.1.1 connections with Windows 10 and verify encryption is maintained.

📡 Detection & Monitoring

Log Indicators:

Windows 10 client logs showing SMB encryption disabled
ksmbd logs showing SMB 3.1.1 connections

Network Indicators:

Cleartext SMB traffic on port 445 when encryption should be active
SMB2_GLOBAL_CAP_ENCRYPTION flag in SMB 3.1.1 negotiation

SIEM Query:

source="ksmbd" AND "SMB3.1.1" OR destination_port=445 AND protocol="SMB" AND NOT encrypted=true

📊 Metadata

CVE ID: CVE-2021-45100

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-319

Published: December 16, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/cifsd-team/ksmbd/issues/550 Third Party Advisory
https://github.com/cifsd-team/ksmbd/pull/551 Patch,Third Party Advisory
https://marc.info/?l=linux-kernel&m=163961726017023&w=2 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220107-0001/ Third Party Advisory
https://github.com/cifsd-team/ksmbd/issues/550 Third Party Advisory
https://github.com/cifsd-team/ksmbd/pull/551 Patch,Third Party Advisory
https://marc.info/?l=linux-kernel&m=163961726017023&w=2 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220107-0001/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45100, you might also want to check these: