CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26585 – tls: fix race between tx work scheduling and socket close
https://notcve.org/view.php?id=CVE-2024-26585
In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: tls: corrige la ejecución entre la programación de trabajo de transmisión y el cierre del socket De manera similar a el commit anterior, el hilo de envío (recvmsg/sendmsg) puede cerrarse tan pronto como el controlador de cifrado asíncrono llame a complete(). Reordene la programación del trabajo antes de llamar a complete(). En primer lugar, esto parece más lógico, ya que es el orden inverso de lo que hará el hilo de envío. A race condition vulnerability was found in the tls subsystem of the Linux kernel. • https://git.kernel.org/stable/c/a42055e8d2c30d4decfc13ce943d09c7b9dad221 https://git.kernel.org/stable/c/dd32621f19243f89ce830919496a5dcc2158aa33 https://git.kernel.org/stable/c/196f198ca6fce04ba6ce262f5a0e4d567d7d219d https://git.kernel.org/stable/c/6db22d6c7a6dc914b12c0469b94eb639b6a8a146 https://git.kernel.org/stable/c/e327ed60bff4a991cd7a709c47c4f0c5b4a4fd57 https://git.kernel.org/stable/c/e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb https://access.redhat.com/security/cve/CVE-2024-26585 https://bugzilla.redhat.com/show_bug.cgi?id=2265517 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26584 – net: tls: handle backlogging of crypto requests
https://notcve.org/view.php?id=CVE-2024-26584
In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: tls: manejar el retraso de solicitudes criptográficas Dado que estamos configurando el indicador CRYPTO_TFM_REQ_MAY_BACKLOG en nuestras solicitudes a la API criptográfica, crypto_aead_{encrypt,decrypt} puede devolver -EBUSY en lugar de - EINPROGRESS en situaciones válidas. • https://git.kernel.org/stable/c/a54667f6728c2714a400f3c884727da74b6d1717 https://git.kernel.org/stable/c/3ade391adc584f17b5570fd205de3ad029090368 https://git.kernel.org/stable/c/cd1bbca03f3c1d845ce274c0d0a66de8e5929f72 https://git.kernel.org/stable/c/13eca403876bbea3716e82cdfe6f1e6febb38754 https://git.kernel.org/stable/c/ab6397f072e5097f267abf5cb08a8004e6b17694 https://git.kernel.org/stable/c/8590541473188741055d27b955db0777569438e3 https://access.redhat.com/security/cve/CVE-2024-26584 https://bugzilla.redhat.com/show_bug.cgi?id=2265519 • CWE-393: Return of Wrong Status Code CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 9.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52442 – ksmbd: validate session id and tree id in compound request
https://notcve.org/view.php?id=CVE-2023-52442
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate session id and tree id in compound request `smb2_get_msg()` in smb2_get_ksmbd_tcon() and smb2_check_user_session() will always return the first request smb2 header in a compound request. if `SMB2_TREE_CONNECT_HE` is the first command in compound request, will return 0, i.e. The tree id check is skipped. This patch use ksmbd_req_buf_next() to get current command in compound. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ksmbd: validar la identificación de la sesión y la identificación del árbol en la solicitud compuesta `smb2_get_msg()` en smb2_get_ksmbd_tcon() y smb2_check_user_session() siempre devolverá el encabezado smb2 de la primera solicitud en una solicitud compuesta. si `SMB2_TREE_CONNECT_HE` es el primer comando en la solicitud compuesta, devolverá 0, es decir, se omite la verificación de identificación del árbol. Este parche usa ksmbd_req_buf_next() para obtener el comando actual en compuesto. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Linux Kernel. • https://git.kernel.org/stable/c/017d85c94f02090a87f4a473dbe0d6ee0da72693 https://git.kernel.org/stable/c/becb5191d1d5fdfca0198a2e37457bbbf4fe266f https://git.kernel.org/stable/c/4c2b350b2e269e3fd17bbfa42de1b42775b777ac https://git.kernel.org/stable/c/3df0411e132ee74a87aa13142dfd2b190275332e •
CVSS: 8.6EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52441 – ksmbd: fix out of bounds in init_smb2_rsp_hdr()
https://notcve.org/view.php?id=CVE-2023-52441
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out of bounds in init_smb2_rsp_hdr() If client send smb2 negotiate request and then send smb1 negotiate request, init_smb2_rsp_hdr is called for smb1 negotiate request since need_neg is set to false. This patch ignore smb1 packets after ->need_neg is set to false. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ksmbd: corrección fuera de los límites en init_smb2_rsp_hdr() Si el cliente envía una solicitud de negociación smb2 y luego envía una solicitud de negociación smb1, se llama a init_smb2_rsp_hdr para la solicitud de negociación smb1 ya que need_neg está configurado en falso. Este parche ignora los paquetes smb1 después de que ->need_neg se establece en falso. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Linux Kernel. • https://git.kernel.org/stable/c/5c0df9d30c289d6b9d7d44e2a450de2f8e3cf40b https://git.kernel.org/stable/c/330d900620dfc9893011d725b3620cd2ee0bc2bc https://git.kernel.org/stable/c/aa669ef229ae8dd779da9caa24e254964545895f https://git.kernel.org/stable/c/536bb492d39bb6c080c92f31e8a55fe9934f452b • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2023-52440 – ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob()
https://notcve.org/view.php?id=CVE-2023-52440
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() If authblob->SessionKey.Length is bigger than session key size(CIFS_KEY_SIZE), slub overflow can happen in key exchange codes. cifs_arc4_crypt copy to session key array from SessionKey from client. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ksmbd: corrige el desbordamiento de slub en ksmbd_decode_ntlmssp_auth_blob() Si authblob->SessionKey.Length es mayor que el tamaño de la clave de sesión (CIFS_KEY_SIZE), puede ocurrir un desbordamiento de slub en los códigos de intercambio de claves. cifs_arc4_crypt copia a la matriz de claves de sesión desde SessionKey del cliente. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable. The specific flaw exists within the processing of session keys. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. • https://git.kernel.org/stable/c/bd554ed4fdc3d38404a1c43d428432577573e809 https://git.kernel.org/stable/c/30fd6521b2fbd9b767e438e31945e5ea3e3a2fba https://git.kernel.org/stable/c/7f1d6cb0eb6af3a8088dc24b7ddee9a9711538c4 https://git.kernel.org/stable/c/ecd7e1c562cb08e41957fcd4b0e404de5ab38e20 https://git.kernel.org/stable/c/4b081ce0d830b684fdf967abc3696d1261387254 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •