CVE-2021-45100 in ksmbdinfo

Summary

by MITRE • 12/16/2021

The ksmbd server through 3.4.2, as used in the Linux kernel through 5.15.8, sometimes communicates in cleartext even though encryption has been enabled. This occurs because it sets the SMB2_GLOBAL_CAP_ENCRYPTION flag when using the SMB 3.1.1 protocol, which is a violation of the SMB protocol specification. When Windows 10 detects this protocol violation, it disables encryption.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 08/17/2025

The ksmbd server vulnerability represents a critical security flaw in the SMB protocol implementation within Linux kernel versions up to 5.15.8. This vulnerability stems from the improper handling of encryption flags during SMB 3.1.1 protocol negotiations, specifically when the SMB2_GLOBAL_CAP_ENCRYPTION flag is incorrectly set despite encryption being enabled. The flaw exists within the ksmbd server component that facilitates SMB file sharing services, creating a scenario where security measures appear to be active but are actually ineffective due to protocol specification violations.

The technical implementation error occurs during the SMB negotiation phase where the ksmbd server fails to properly validate its encryption capabilities before advertising support for encryption features. This misconfiguration causes the server to present a false positive for encryption support, leading to a downgrade in security protection. When Windows 10 systems encounter this protocol violation, they automatically disable encryption mechanisms to prevent potential security risks, effectively rendering the encryption feature useless and leaving data transmitted over the network in cleartext. The vulnerability is classified under CWE-310 as a Cryptographic Issue, specifically related to improper implementation of encryption protocols.

The operational impact of this vulnerability extends beyond simple data exposure, as it undermines the fundamental security assumptions of SMB file sharing operations. Network administrators who rely on encryption to protect sensitive data transfers may unknowingly be transmitting information in cleartext, creating potential attack vectors for man-in-the-middle attacks and eavesdropping. This issue particularly affects environments where Linux systems serve as SMB file servers to Windows clients, as the Windows operating system actively detects and responds to this protocol violation by disabling encryption. The vulnerability can result in unauthorized access to shared resources, data theft, and potential system compromise through credential interception.

Mitigation strategies for this vulnerability require immediate patching of affected kernel versions to 5.15.9 or later where the ksmbd server properly implements SMB protocol specifications. System administrators should also implement network monitoring to detect unusual SMB traffic patterns and verify encryption status through proper protocol validation tools. Additionally, organizations should consider implementing network segmentation and additional access controls to minimize the impact of potential credential theft or data exposure. The vulnerability aligns with ATT&CK technique T1071.004 for Application Layer Protocol: SMB/Windows Admin Shares, where attackers may exploit such protocol inconsistencies to gain unauthorized access to network resources through weakened encryption mechanisms.

Reservation

12/16/2021

Disclosure

12/16/2021

Moderation

accepted

CPE

ready

EPSS

0.00905

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!