oss-sec mailing list archives

5 Linux kernel ksmbd vulnerabilities

From: daniel <sd () x17 eu>
Date: Mon, 18 Mar 2024 21:59:12 +0100

Recently two batches of Linux kernel ksmbd vulnerabilities became public.

Please find here an overview, the attached ZDI information and thecorresponding links to the Linux kernel cve announce messages withfurther information.


###
##      batch one
###
CVE            Link
--------------+---------------------------------------------------------+-----
CVE-2024-26594 https://www.zerodayinitiative.com/advisories/ZDI-24-194/
CVE-2024-26592 https://www.zerodayinitiative.com/advisories/ZDI-24-195/

Vendor notified: 2024-01-11
Coordinated public release date: 2024-02-23

Fixed in following kernels:
Fixed in 6.1.75
Fixed in 6.6.14
Fixed in 6.7.2
Fixed in 6.8-rc1

https://lore.kernel.org/linux-cve-announce/2024022259-CVE-2024-26592-58f7@gregkh/T/#u
https://lore.kernel.org/linux-cve-announce/2024022325-CVE-2024-26594-1cbc%40gregkh/

###
##      batch two
###
CVE            Link
--------------+---------------------------------------------------------+-----
CVE-2023-52442 https://www.zerodayinitiative.com/advisories/ZDI-24-227/
CVE-2023-52441 https://www.zerodayinitiative.com/advisories/ZDI-24-228/
CVE-2023-52440 https://www.zerodayinitiative.com/advisories/ZDI-24-229/

Vendor notified: 2023-07-18 - 2023-08-24
Coordinated public release date: 2024-03-01

Fixed in following kernels:
Fixed in 5.15.145
Fixed in 6.1.53
Fixed in 6.4.16
Fixed in 6.5

https://lore.kernel.org/linux-cve-announce/2024022132-unvented-arguably-5ea9@gregkh/T/#u
https://lore.kernel.org/linux-cve-announce/2024022129-gently-activity-ca7d@gregkh/T/#u
https://lore.kernel.org/linux-cve-announce/2024022123-glance-wrinkle-26c1@gregkh/T/#u

###
##      links to reports of older ksmbd vulnerabilities
###
https://www.openwall.com/lists/oss-security/2023/01/04/1
https://www.openwall.com/lists/oss-security/2022/12/22/8

Attachment: ZDI-24-194-ZDI-CAN-22890-CVE-2024-26594.txt
Description:

Attachment: ZDI-24-195-ZDI-CAN-22991-CVE-2024-26592.txt
Description:

Attachment: ZDI-24-227-ZDI-CAN-21506-CVE-2023-52442.txt
Description:

Attachment: ZDI-24-228-ZDI-CAN-21541-CVE-2023-52441.txt
Description:

Attachment: ZDI-24-229-ZDI-CAN-21940-CVE-2023-52440.txt
Description:

Current thread:

5 Linux kernel ksmbd vulnerabilities daniel (Mar 18)
- Re: 5 Linux kernel ksmbd vulnerabilities Alexander E. Patrakov (Mar 18)
  - Re: 5 Linux kernel ksmbd vulnerabilities Hauke Mehrtens (Mar 20)