CVE-2022-2196 – Speculative execution attacks in KVM VMX
https://notcve.org/view.php?id=CVE-2022-2196
A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a A flaw was found in the KVM's Intel nested virtualization feature (nVMX). Since L1 and L2 shared branch prediction modes (guest-user and guest-kernel), KVM did not protect indirect branches in L1 from steering by a malicious agent in L2. • https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5 https://kernel.dance/#2e7eab81425a https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html https://access.redhat.com/security/cve/CVE-2022-2196 https://bugzilla.redhat.com/show_bug.cgi?id=2160023 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVE-2022-4378 – kernel: stack overflow in do_proc_dointvec and proc_skip_spaces
https://notcve.org/view.php?id=CVE-2022-4378
A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system. • http://packetstormsecurity.com/files/171289/Kernel-Live-Patch-Security-Notice-LNS-0092-1.html https://bugzilla.redhat.com/show_bug.cgi?id=2152548 https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-6.0/proc-avoid-integer-type-confusion-in-get_proc_long.patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-6.0/proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch https://seclists.org/oss-sec/202 • CWE-131: Incorrect Calculation of Buffer Size CWE-787: Out-of-bounds Write •
CVE-2022-47943 – Linux Kernel ksmbd Out-Of-Bounds Read Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2022-47943
An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is an out-of-bounds read and OOPS for SMB2_WRITE, when there is a large length in the zero DataOffset case. Se descubrió un problema en ksmbd en el kernel de Linux 5.15 a 5.19 anterior a 5.19.2. Hay una lectura fuera de los límites y OOPS para SMB2_WRITE, cuando hay una longitud grande en el caso de DataOffset cero. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Linux Kernel. • http://www.openwall.com/lists/oss-security/2022/12/23/10 https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.19.2 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ac60778b87e45576d7bfdbd6f53df902654e6f09 https://github.com/torvalds/linux/commit/ac60778b87e45576d7bfdbd6f53df902654e6f09 https://security.netapp.com/advisory/ntap-20230216-0006 https://www.zerodayinitiative.com/advisories/ZDI-22-1691 • CWE-125: Out-of-bounds Read •
CVE-2022-47940
https://notcve.org/view.php?id=CVE-2022-47940
An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.18 before 5.18.18. fs/ksmbd/smb2pdu.c lacks length validation in the non-padding case in smb2_write. • http://www.openwall.com/lists/oss-security/2022/12/23/10 https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.18.18 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=158a66b245739e15858de42c0ba60fcf3de9b8e6 https://github.com/torvalds/linux/commit/158a66b245739e15858de42c0ba60fcf3de9b8e6 • CWE-125: Out-of-bounds Read •
CVE-2022-47946
https://notcve.org/view.php?id=CVE-2022-47946
An issue was discovered in the Linux kernel 5.10.x before 5.10.155. A use-after-free in io_sqpoll_wait_sq in fs/io_uring.c allows an attacker to crash the kernel, resulting in denial of service. finish_wait can be skipped. An attack can occur in some situations by forking a process and then quickly terminating it. NOTE: later kernel versions, such as the 5.15 longterm series, substantially changed the implementation of io_sqpoll_wait_sq. Se descubrió un problema en el kernel de Linux 5.10.x anterior a 5.10.155. • http://www.openwall.com/lists/oss-security/2022/12/27/1 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.161&id=0f544353fec8e717d37724d95b92538e1de79e86 https://www.openwall.com/lists/oss-security/2022/12/22/2 • CWE-416: Use After Free •