In the ksmbd module, which offers a file server implementation built into the Linux kernel based on the SMB protocol, two vulnerabilities have been identified that allow you to remotely execute your code without authentication with kernel rights or determine the contents of kernel memory on systems with the ksmbd module activated. Problems appear starting from kernel 5.15, which included the ksmbd module. The vulnerabilities were fixed in kernel updates 6.7.2, 6.6.14, 6.1.75 and 5.15.145. You can track the fixes in distributions on the following pages: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Arch.
The first vulnerability (CVE-2024-26592) can lead to attacker code execution with kernel rights when sending specially crafted unauthenticated TCP requests to the ksmbd server. The vulnerability is caused by incorrect organization of blocking objects in the installation code and interrupting the TCP connection to ksmbd, which allows creating conditions for accessing already freed memory (use-after-free).
The second vulnerability (CVE-2024-26594) leads to a kernel memory leak when processing an incorrect mech token in a session setup request sent by a client. The vulnerability is caused by incorrect processing of data with the SMB2 Mech token and leads to data being read from an area outside the allocated buffer.
Additionally, several more vulnerabilities in the Linux kernel can be noted:
- CVE-2023-52439 - A use-after-free memory access in the uio_open function of the uio subsystem, potentially allowing a local user to execute their code with kernel rights.
- CVE-2024-26582 A use-after-free memory call in the kernel-level TLS (ktls) implementation has the potential to escalate its privileges when performing decryption operations.
- CVE-2024-0646 An out-of-bounds memory write in the ktls subsystem occurs due to certain local manipulation of a ktls socket via the splice function. The vulnerability potentially allows you to escalate your privileges in the system.
- CVE-2023-6932 is a race condition in the implementation of the IGMP (Internet Group Management Protoco) protocol in the IPv4 stack, leading to access to already freed memory (use-after-free). The vulnerability potentially allows a local user to escalate their privileges on the system.
- CVE-2023-52435 - MSS overflow in the skb_segment() function of the kernel network stack.
- CVE-2024-26601 - An error in the block release code in the ext4 file system can be used to corrupt the buddy bitmap.
- CVE-2024-26598 – Use-after-free memory access in the KVM hypervisor.
Source: opennet.ru