CVE-2021-45100
https://notcve.org/view.php?id=CVE-2021-45100
The ksmbd server through 3.4.2, as used in the Linux kernel through 5.15.8, sometimes communicates in cleartext even though encryption has been enabled. This occurs because it sets the SMB2_GLOBAL_CAP_ENCRYPTION flag when using the SMB 3.1.1 protocol, which is a violation of the SMB protocol specification. When Windows 10 detects this protocol violation, it disables encryption. El servidor ksmbd versiones hasta 3.4.2, usado en el kernel de Linux hasta la versión 5.15.8, a veces se comunica en texto sin cifrar aunque se haya habilitado el cifrado. Esto ocurre porque establece la bandera SMB2_GLOBAL_CAP_ENCRYPTION cuando es usado el protocolo SMB 3.1.1, lo cual es una violación de la especificación del protocolo SMB. • https://github.com/cifsd-team/ksmbd/issues/550 https://github.com/cifsd-team/ksmbd/pull/551 https://marc.info/?l=linux-kernel&m=163961726017023&w=2 https://security.netapp.com/advisory/ntap-20220107-0001 • CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2021-4044 – Invalid handling of X509_verify_cert() internal errors in libssl
https://notcve.org/view.php?id=CVE-2021-4044
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. • https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=758754966791c537ea95241438454aa86f91f256 https://security.netapp.com/advisory/ntap-20211229-0003 https://www.openssl.org/news/secadv/20211214.txt • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2018-25020
https://notcve.org/view.php?id=CVE-2018-25020
The BPF subsystem in the Linux kernel before 4.17 mishandles situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. This affects kernel/bpf/core.c and net/core/filter.c. El subsistema BPF en el kernel de Linux versiones anteriores a 4.17, maneja inapropiadamente las situaciones con un salto largo sobre una secuencia de instrucciones donde las instrucciones internas requieren expansiones sustanciales en múltiples instrucciones BPF, conllevando a un desbordamiento. Esto afecta a los archivos kernel/bpf/core.c y net/core/filter.c • http://packetstormsecurity.com/files/165477/Kernel-Live-Patch-Security-Notice-LSN-0083-1.html https://github.com/torvalds/linux/commit/050fad7c4534c13c8eb1d9c2ba66012e014773cb https://security.netapp.com/advisory/ntap-20211229-0005 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVE-2021-3772 – kernel: sctp: Invalid chunks may be used to remotely remove existing associations
https://notcve.org/view.php?id=CVE-2021-3772
A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses. Se ha encontrado un fallo en la pila SCTP de Linux. Un atacante ciego puede ser capaz de matar una asociación SCTP existente mediante trozos no válidos si el atacante conoce las direcciones IP y los números de puerto que están siendo usados y el atacante puede enviar paquetes con direcciones IP falsas • https://bugzilla.redhat.com/show_bug.cgi?id=2000694 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=32f8807a48ae55be0e76880cfe8607a18b5bb0df https://github.com/torvalds/linux/commit/32f8807a48ae55be0e76880cfe8607a18b5bb0df https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html https://security.netapp.com/advisory/ntap-20221007-0001 https://ubuntu.com/security/CVE-2021-3772 https://www.debian.org/security/2022/dsa-5096 https://www.oracle.com/security-alerts/cp • CWE-354: Improper Validation of Integrity Check Value •
CVE-2021-43976 – kernel: mwifiex_usb_recv() in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker to cause DoS via crafted USB device
https://notcve.org/view.php?id=CVE-2021-43976
In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic). En el kernel de Linux versiones hasta 5.15.2, la función mwifiex_usb_recv en el archivo drivers/net/wireless/marvell/mwifiex/usb.c permite a un atacante (que puede conectar un dispositivo USB diseñado) causar una denegación de servicio (skb_over_panic) A denial of service flaw was found in mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c in the usb subsystem of the Linux kernel. This is due to a missing clean-up for a malfunctioning usb device with an unknown recv_type. • https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=04d80663f67ccef893061b49ec8a42ff7045ae84 https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X24M7KDC4OJOZNS3RDSYC7ELNELOLQ2N https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YODMYMGZYDXQKGJGX7TJG4XV4L5YLLBD https://patchwork.kernel.org/projec • CWE-459: Incomplete Cleanup •