SB2022122604 - Multiple vulnerabilities in Linux kernel ksmbd
Published: December 26, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2022-47943)
The vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to an out-of-bounds read in ksmbd due to a large length in the zero DataOffset case in SMB2_WRITE call. A remote user can send specially crafted request to the ksmbd daemon, trigger an out-of-bounds write error and perform a denial of service (DoS) attack.
2) Out-of-bounds read (CVE-ID: CVE-2022-47938)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in SMB2_TREE_CONNECT in fs/ksmbd/smb2misc.c. A remote user can send specially crafted request to the ksmbd daemon, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.
3) Heap-based buffer overflow (CVE-ID: CVE-2022-47942)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in set_ntacl_dacl, related to use of SMB2_QUERY_INFO_HE after a malformed SMB2_SET_INFO_HE command. A remote user can send specially crafted data to the ksmbd daemon, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Memory leak (CVE-ID: CVE-2022-47941)
The vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak in fs/ksmbd/smb2pdu.c in Linux kernel ksmbd when handling certain smb2_handle_negotiate() error conditions. A remote attacker can force the system to leak memory and perform denial of service attack.
Remediation
Install update from vendor's website.
References
- https://github.com/torvalds/linux/commit/ac60778b87e45576d7bfdbd6f53df902654e6f09
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ac60778b87e45576d7bfdbd6f53df902654e6f09
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.19.2
- http://www.openwall.com/lists/oss-security/2022/12/23/10
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=824d4f64c20093275f72fc8101394d75ff6a249e
- https://github.com/torvalds/linux/commit/824d4f64c20093275f72fc8101394d75ff6a249e
- https://www.zerodayinitiative.com/advisories/ZDI-22-1689/
- https://github.com/torvalds/linux/commit/8f0541186e9ad1b62accc9519cc2b7a7240272a7
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8f0541186e9ad1b62accc9519cc2b7a7240272a7
- https://www.zerodayinitiative.com/advisories/ZDI-22-1688/
- https://github.com/torvalds/linux/commit/aa7253c2393f6dcd6a1468b0792f6da76edad917
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=aa7253c2393f6dcd6a1468b0792f6da76edad917
- https://www.zerodayinitiative.com/advisories/ZDI-22-1687/