Michael Hanselmann

**Name of the Vulnerable Software and Affected Versions** usbredir versions prior to 0.11.0 **Description** A use-after-free issue was found in the `usbredirparser serialize()` function in `usbredirparser/usbredirparser.c`. This occurs when serializing large amounts of buffered write data, particularly in cases of slow or blocked destinations. The exploitation of this issue could allow an attacker to access confidential data, compromise data integrity, and cause a denial of service. **Recommendations** For versions prior to 0.11.0, update to version 0.11.0 or later to resolve the issue. As a temporary workaround, consider disabling the `usbredirparser serialize()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** samba versions prior to 4.11.2 samba versions prior to 4.10.10 samba versions prior to 4.9.15 **Description** A flaw was found in the samba client where a malicious server can supply a pathname to the client with separators, allowing the client to access files and folders outside of the SMB network pathnames. This could enable an attacker to create files outside of the current working directory using the privileges of the client user. The issue is due to incorrect restriction of the directory path name with limited access. **Recommendations** For samba versions prior to 4.11.2, update to version 4.11.2 or later. For samba versions prior to 4.10.10, update to version 4.10.10 or later. For samba versions prior to 4.9.15, update to version 4.9.15 or later.

**Name of the Vulnerable Software and Affected Versions** Linux kernel version 4.9.0 **Description** The issue concerns a relative paths injection in directory entry lists within the Linux kernel CIFS implementation. It is caused by incorrect restriction of the directory path name with limited access. Exploitation of this issue may allow a remote attacker to manipulate files in the client's directory. **Recommendations** For Linux kernel version 4.9.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Samba versions prior to 4.13.16 **Description** The issue allows a malicious client to create a directory in an area of the server file system not exported under the share definition by using an SMB1 or NFS race. This can happen if SMB1 is enabled or the share is also available via NFS. The vulnerability is related to the unix extensions of SMB1 and NFS in the Samba package, which is caused by incorrect synchronization during concurrent execution. **Recommendations** For versions prior to 4.13.16, update to version 4.13.16 or later to resolve the issue. As a temporary workaround, consider disabling SMB1 or restricting access to NFS shares to minimize the risk of exploitation. Avoid using SMB1 or NFS for sensitive data until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: macOS versions prior to 10.14 Description: A denial of service issue was addressed with improved validation. Recommendations: For versions prior to 10.14, update to macOS Mojave 10.14 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 10.14 **Description** An injection issue was addressed with improved validation. **Recommendations** For versions prior to 10.14, update to macOS Mojave 10.14 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions 2.10 through 3.1.0 **Description** The issue is related to an out-of-bounds read of up to 128 bytes in the `i2c ddc()` function, located in the `hw/i2c/i2c-ddc.c` file. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host, potentially revealing protected information. **Recommendations** For QEMU versions 2.10 through 3.1.0, consider restricting access to the `i2c ddc()` function in the `hw/i2c/i2c-ddc.c` file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: qemu versions prior to 3.1.0 Description: A flaw in the qemu Media Transfer Protocol (MTP) implementation allows for a path traversal due to improper filename sanitization in the `usb mtp write data` function. This can lead to reading and writing arbitrary files, potentially causing a denial of service (DoS) scenario or possibly allowing code execution on the host. The issue is related to errors in synchronization when using a shared resource. Recommendations: For versions prior to 3.1.0, update to version 3.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `usb mtp write data` function in the `hw/usb/dev-mtp.c` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** glusterfs versions 3.1.2 through 4.1.4 **Description** A flaw in the glusterfs server allows repeated usage of the `GF META LOCK KEY` xattr, enabling a remote, authenticated attacker to create multiple locks for a single inode by using `setxattr` repetitively. This results in memory exhaustion of the glusterfs server node. The issue is related to an uncontrolled consumption of resources, which can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions 3.1.2 through 4.1.4, consider restricting the use of the `setxattr` function to prevent repetitive usage of the `GF META LOCK KEY` xattr until a patch is available. As a temporary workaround, limiting the number of locks that can be created for a single inode may help minimize the risk of memory exhaustion.

**Name of the Vulnerable Software and Affected Versions** Gluster file system versions through 4.1.4 **Description** The issue allows a remote attacker with access to mount volumes to exploit the `GF XATTROP ENTRY IN KEY` xattrop, creating arbitrary, empty files on the target server via abuse of the 'features/index' translator. **Recommendations** For Gluster file system versions through 4.1.4, consider restricting access to the 'features/index' translator to minimize the risk of exploitation. As a temporary workaround, limit the use of the `GF XATTROP ENTRY IN KEY` xattrop until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gluster file system versions 3.1.2 through 4.1.4 **Description** The issue allows a remote, authenticated attacker to perform a denial of service attack by utilizing the `GF XATTR IOSTATS DUMP KEY` xattr. This can be exploited by mounting a Gluster volume and repeatedly calling `setxattr(2)` to trigger a state dump, resulting in the creation of an arbitrary number of files in the server's runtime directory. **Recommendations** For versions 3.1.2 through 4.1.4, consider restricting access to the `GF XATTR IOSTATS DUMP KEY` xattr to prevent exploitation. As a temporary workaround, consider disabling the `setxattr(2)` function until a patch is available. Restrict access to the Gluster volume to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GlusterFS (affected versions not specified) **Description** The issue is related to an incorrect link resolution in the file system, which can be exploited by a remote attacker to execute arbitrary code or cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** glusterfs (affected versions not specified) **Description** A flaw was discovered in the glusterfs server where it fails to properly sanitize file paths in the `trusted.io-stats-dump` extended attribute used by the `debug/io-stats` translator. This allows an attacker to create files and execute arbitrary code if they have sufficient access to modify the extended attributes of files on a gluster volume. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** glusterfs server (affected versions not specified) **Description** An information disclosure issue was found in the glusterfs server, where an attacker could send a xattr request via glusterfs FUSE to check if any file exists. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** glusterfs (affected versions not specified) **Description** The issue allows an authenticated attacker to create an arbitrary device and read data from any device attached to the glusterfs server node by exploiting the "mknod" call derived from mknod(2). This can be used to create files pointing to devices on a glusterfs server node. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** glusterfs server (affected versions not specified) **Description** A flaw was found in RPC request using `gfs3 mknod req` supported by glusterfs server. An authenticated attacker could use this flaw to write files to an arbitrary location via path traversal and execute arbitrary code on a glusterfs server node. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** glusterfs server (affected versions not specified) **Description** A flaw was found in the RPC request using `gfs3 symlink req` in the glusterfs server, allowing symlink destinations to point to file paths outside of the gluster volume. An authenticated attacker could use this flaw to create arbitrary symlinks pointing anywhere on the server and execute arbitrary code on glusterfs server nodes. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** glusterfs server (affected versions not specified) **Description** A flaw was found in the RPC request using `gfs2 create req` in the glusterfs server. An authenticated attacker could use this flaw to create arbitrary files and execute arbitrary code on glusterfs server nodes. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GlusterFS (affected versions not specified) **Description** The issue is related to the dic unserialize function in the GlusterFS file system, which incorrectly handles negative key length values. This can be exploited by a remote attacker to access protected information. The flaw allows an attacker to read memory from other locations into the stored dict value. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: qemu (affected versions not specified) Description: A flaw in qemu's Media Transfer Protocol (MTP) implementation allows an attacker with write access to the host filesystem shared with a guest to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. This is due to a TOCTTOU (Time-of-Check-to-Time-of-Use) problem, where the code opening files and directories does not consider that the underlying filesystem may have changed since the time `lstat(2)` was called. Access to the filesystem may be local or via a network share protocol such as CIFS. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.