David Disseldorp

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** The issue arises from ksmbd attempting to set atime and mtime via notify change without also setting ctime, resulting in a warning. This warning is triggered by the setattr copy function. The vulnerability is resolved by adding ATTR CTIME flags when setting mtime. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.74 or later. As a temporary workaround, consider disabling the `setattr copy` function until a patch is available. Restrict access to the `ksmbd` module to minimize the risk of exploitation. Avoid using the `notify change` function in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** The issue concerns a filename buffer overrun in the Linux kernel's initramfs. The initramfs filename field is defined with a specific format that includes a zero-terminator. However, when extracting an initramfs cpio archive, the kernel's path handler assumes a zero-terminated path, which can lead to the creation of a file with trailing characters representing uninitialized memory if a specially crafted cpio entry carries a non-zero-terminated filename. This ability to create an initramfs entry implies already having full control of the system, so the buffer overrun is not considered a security vulnerability. To observe the issue, one can append the output of a provided bash script to an existing initramfs and look for any created /initramfs test fname overrunAA* path. The script generates a cpio entry with a non-zero-terminated filename, followed by uninitialized memory. The easiest way to observe non-zero uninitialized memory is when the output is gzipped, as it overflows the heap allocated buffer in gunzip(). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a NULL pointer dereference in the Linux kernel's scsi: target: core component. This occurs when the `target complete cmd()` function attempts to access the `se tpg wwn` pointer, which is NULL in the case of LIO's EXTENDED COPY worker. The vulnerability can be triggered by initiating an EXTENDED COPY operation, leading to a kernel NULL pointer dereference. Technical details include the `target complete cmd()` function and the `se tpg wwn` pointer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open-iSCSI tcmu-runner versions 1.3.x through 1.5.2 **Description** The issue allows remote attackers to read or write files via directory traversal in an XCOPY request, due to a lack of check for transport-layer restrictions in the xcopy locate udev function in tcmur cmd handler.c. This can occur if an attacker has access to one iSCSI LUN, potentially over a network. **Recommendations** For Open-iSCSI tcmu-runner versions 1.3.x through 1.5.2, consider restricting access to the xcopy locate udev function in tcmur cmd handler.c until a patch is available. As a temporary workaround, restrict the use of XCOPY requests to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.10.7 **Description** The issue is related to insufficient identifier checking in the LIO SCSI target code, which can be exploited by remote attackers to read or write files via directory traversal in an XCOPY request. This can occur over a network if the attacker has access to one iSCSI LUN, allowing them to gain control over file access because I/O operations are proxied via an attacker-selected backstore. **Recommendations** For Linux kernel versions prior to 5.10.7, update to version 5.10.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the `target core xcopy.c` driver or disabling the XCOPY request functionality until a patch is available. Restrict access to iSCSI LUNs to minimize the risk of exploitation.