Florent Saudel

**Name of the Vulnerable Software and Affected Versions** Sante PACS Server (affected versions not specified) **Description** This issue allows remote attackers to execute arbitrary code on affected installations of Sante PACS Server. Authentication is not required to exploit this issue. The specific flaw exists within the processing of HTTP requests on port 3000. When parsing the `token` parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this issue to execute code in the context of NETWORK SERVICE. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Sante PACS Server PG (affected versions not specified) **Description** This issue allows remote attackers to execute arbitrary code on affected installations of Sante PACS Server PG. Authentication is not required to exploit this issue. The specific flaw exists within the implementation of the DICOM service, which listens on TCP port 11122 by default. When parsing the `NAME` element of the `PATIENT` record, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this issue to execute code in the context of NETWORK SERVICE. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 3.1.x through 3.1.16 **Description** A Type Confusion issue was found in the Spotlight RPC functions in afpd. The problem arises when parsing Spotlight RPC packets, specifically with a key-value style dictionary where keys are character strings and values can be any supported type. Due to a lack of type checking in callers of the `dalloc value for key()` function, a malicious actor may be able to control the value of the pointer, potentially achieving Remote Code Execution on the host. **Recommendations** For Netatalk versions 3.1.x through 3.1.16, update to version 3.1.17 or later to resolve the issue. As a temporary workaround, consider restricting access to the Spotlight RPC functions in afpd to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Samba (affected versions not specified) **Description** The issue is related to the `sl unpack loop()` function in Samba's mdssvc RPC service for Spotlight. It does not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the function will run in an endless loop consuming 100% CPU. This allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Samba (affected versions not specified) **Description** A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the `dalloc value for key()` function, which returns the object associated with a key, a caller may trigger a crash in `talloc get size()` when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Advantech WebAccess/SCADA versions prior to 9.1.4 **Description** The issue is related to the use of untrusted pointers in the software. Specifically, the RPC arguments sent by the client could contain raw memory pointers that the server uses as-is. This could allow an attacker to gain access to the remote file system, enabling them to execute commands and overwrite files. **Recommendations** For versions prior to 9.1.4, update to version 9.1.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the RPC functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.15 through 5.19 before 5.19.2 **Description** A use-after-free issue exists in the Linux kernel's ksmbd module, specifically in the `fs/ksmbd/smb2pdu.c` file, related to the `SMB2 TREE DISCONNECT` command. This issue can be exploited by a remote attacker to execute arbitrary code on vulnerable Linux kernel versions. The ksmbd server, which implements the SMB3 protocol in the kernel for network file sharing, is affected when it handles `SMB2 TREE DISCONNECT` commands without properly checking the existence of an object before performing operations on it. **Recommendations** For Linux kernel versions 5.15 through 5.19 before 5.19.2, update to version 5.19.2 or later to resolve the issue. As a temporary workaround, consider disabling the ksmbd server until a patch is available. Restrict access to the `SMB2 TREE DISCONNECT` command to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.15 through 5.19 before 5.19.2 **Description** The issue is related to a heap-based buffer overflow in the Linux kernel's ksmbd subsystem, specifically in the set ntacl dacl function. This overflow is connected to the use of `SMB2 QUERY INFO HE` after a malformed `SMB2 SET INFO HE` command. The exploitation of this issue could allow a remote attacker to execute arbitrary code. **Recommendations** For Linux kernel versions 5.15 through 5.19 before 5.19.2, update to version 5.19.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `set ntacl dacl` function and the `SMB2 QUERY INFO HE` and `SMB2 SET INFO HE` commands until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.15 through 5.19 before 5.19.2 **Description** The issue is related to the `smb2 write` function in the `ksmbd` module of the Linux kernel, which is vulnerable to an out-of-bounds read in memory. This can allow a remote attacker to disclose protected information or cause a denial of service. The vulnerability occurs when there is a large length in the zero `DataOffset` case for `SMB2 WRITE`. **Recommendations** For Linux kernel versions 5.15 through 5.19 before 5.19.2, update to version 5.19.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `ksmbd` module or disabling the `smb2 write` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.15 through 5.19 before 5.19.2 **Description** An issue was discovered in ksmbd in the Linux kernel, related to a memory leak due to the omission of a `kfree` call in certain `smb2 handle negotiate` error conditions. This can be exploited by a remote attacker to cause a denial-of-service when handling SMB2 NEGOTIATE requests. The vulnerable code is located in `fs/ksmbd/smb2pdu.c`. **Recommendations** For Linux kernel versions 5.15 through 5.19 before 5.19.2, update to version 5.19.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `smb2 handle negotiate` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.15 through 5.19 before 5.19.2 **Description** The issue is related to an out-of-bounds read in the Linux kernel's ksmbd subsystem, specifically in the fs/ksmbd/smb2misc.c file. This occurs when handling the SMB2 TREE CONNECT operation. Exploitation of this issue can allow a remote attacker to cause a denial of service. **Recommendations** For Linux kernel versions 5.15 through 5.19 before 5.19.2, update to version 5.19.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the SMB2 TREE CONNECT operation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Sante PACS Server version 3.0.4 **Description** This issue allows remote attackers to bypass authentication on affected installations. The flaw exists within the processing of calls to the "login endpoint". When parsing the `username` element, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this issue to bypass authentication on the system. **Recommendations** For Sante PACS Server version 3.0.4, consider disabling the login endpoint until a patch is available to prevent exploitation. Restrict access to the SQL query construction process to minimize the risk of authentication bypass. Avoid using the `username` element in the affected login endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.