Norbert Szetei

The Linux kernel's ksmbd server is affected by a slab-use-after-free issue in the ksmbd smb2 session create function, caused by a race condition between ksmbd smb2 session create and ksmbd expire session. This issue can be exploited to impact the confidentiality, integrity, and availability of protected information. Although the vulnerable versions are not explicitly stated, a patch has been released to resolve the issue by adding a missing sessions table lock when adding or deleting sessions from the global session table. An exploit for this issue could potentially allow an attacker to compromise the security of the system. #LinuxKernel #ksmbd #SlabUseAfterFree #RaceCondition #Exploit #LinuxSecurity

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.1.119-1 Linux-6.1 versions prior to 6.1.119-1~deb11u1 **Description** Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leaks. A specific issue involves a slab-use-after-free condition in the `smb3 preauth hash rsp` function within the ksmbd server, located in `fs/smb/server/server.c`. This occurs due to the `ksmbd user session put` function not being called under `smb3 preauth hash rsp()`, potentially freeing the session before it is used. The vulnerability in the ` handle ksmbd work()` function within the CIFS/SMB3 server component of the Linux kernel is related to the reuse of previously freed memory. Exploitation of this issue could allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** Upgrade your linux packages to version 6.1.119-1 or later. Upgrade your linux-6.1 packages to version 6.1.119-1~deb11u1 or later.

The Linux kernel's ksmbd component is affected by a memory exhaustion issue due to simultaneous SMB operations, which can consume excessive memory through the "ksmbd work cache", leading to an Out-of-Memory (OOM) issue. The issue arises when a client sends multiple SMB operations to ksmbd, and the ksmbd credit mechanism is insufficient to handle this problem. A patch has been added to check if the maximum credits are exceeded, preventing the issue by assuming one SMB request consumes at least one credit. An exploit for this issue is available. The affected software is the Linux kernel, specifically the ksmbd component. #LinuxKernel #ksmbd #SMB #MemoryExhaustion #OOMIssue #LinuxSecurity

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a slab-out-of-bounds read in the `smb2 allocate rsp buf()` function. If the `->ProtocolId` is `SMB2 TRANSFORM PROTO NUM`, SMB2 request size validation could be skipped. If the request size is smaller than `sizeof(struct smb2 query info req)`, a slab-out-of-bounds read can happen in `smb2 allocate rsp buf()`. This can be exploited to cause a denial of service. The patch allocates the response buffer after decrypting the transform request, and `smb3 decrypt req()` validates the transform request size to avoid the slab-out-of-bounds issue. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** gosaml2 versions prior to 0.9.0 **Description** A bug in the gosaml2 library enables attackers to craft a `deflate`-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed. The maximum compression ratio achievable with `deflate` is 1032:1. By limiting the size of bodies passed to gosaml2, limiting the rate and concurrency of calls, and ensuring that lots of memory is available to the process, it may be possible to help Go's garbage collector "keep up". However, implementors are encouraged not to rely on this. **Recommendations** For versions prior to 0.9.0, update to version 0.9.0 to resolve the issue. As a temporary workaround, consider limiting the size of bodies passed to gosaml2, limiting the rate and concurrency of calls, and ensuring that lots of memory is available to the process to help mitigate the risk of memory exhaustion.

**Name of the Vulnerable Software and Affected Versions** Open Policy Agent version 0.39.0 **Description** The issue is caused by a problem in the ast/parser.go component of Open Policy Agent, which leads to incorrect interpretation of expressions. This results in a Denial of Service (DoS) due to out-of-range memory access. **Recommendations** For Open Policy Agent version 0.39.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Django versions 1.11 before 1.11.29 Django versions 2.2 before 2.2.11 Django versions 3.0 before 3.0.4 **Description** The issue allows SQL Injection if untrusted data is used as a `tolerance` parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted `tolerance` to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. This could potentially allow a remote attacker to execute arbitrary code. **Recommendations** For Django version 1.11, update to version 1.11.29 or later. For Django version 2.2, update to version 2.2.11 or later. For Django version 3.0, update to version 3.0.4 or later. As a temporary workaround, consider avoiding the use of untrusted data as a `tolerance` parameter in GIS functions and aggregates on Oracle until a patch is applied.