A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7.

Due to an incorrect integer overflow protection Squid SSPI and  
SMB authentication helpers are vulnerable to a Buffer Overflow  
attack.

**Severity:**

This problem allows a remote client to perform a Denial of  
Service attack when Squid is configured to use NTLM or Negotiate  
authentication with one of the vulnerable helpers.

This problem allows a remote client to extract sensitive  
information from machine memory when Squid is configured to use  
NTLM or Negotiate authentication with one of the vulnerable  
helpers. The scope of this information includes user credentials  
in decrypted forms, and also arbitrary memory areas beyond Squid  
and the helper itself.

This attack is limited to authentication helpers built using the  
libntlmauth library shipped by Squid.

CVSS Score of 8.2  
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:C/MC:X/MI:L/MA:H&version=3.1

**Updated Packages:**

This bug is fixed by Squid version 5.7.

In addition, patches addressing this problem for the stable  
releases can be found in our patch archives:

**Squid 4:**

http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022\_2.patch

**Squid 5:**

http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022\_2.patch

If you are using a prepackaged version of Squid then please refer  
to the package vendor for availability information on updated  
packages.

**Determining if your version is vulnerable:**

Run this command to view the configured authentication helpers:

(squid -k parse 2>&1) | grep "Processing: auth\_param"

Your Squid may be vulnerable if the result contains any of the following:  
ntlm\_smb\_lm\_auth  
ntlm\_sspi\_auth  
ntlm\_fake\_auth  
negotiate\_sspi\_auth

All Squid-2.5 up to and including 4.17 have vulnerable helpers.

All Squid-5.x up to and including 5.6 have vulnerable helpers.

**Workaround:**

Either,

Disable use of the vulnerable authentication scheme.

Or,

Replace the vulnerable helper with an alternative helper for the  
same authentication scheme.

Or,

Replace the vulnerable helper binary with one built from an  
updated or patched Squid release. The remainder of Squid does not  
need updating to fix this.

**Contact details for the Squid project:**

For installation / upgrade support on binary packaged versions  
of Squid: Your first point of contact should be your binary  
package vendor.

If you install and build Squid from the original Squid sources  
then the squid-users@lists.squid-cache.org mailing list is your  
primary support point. For subscription details see  
http://www.squid-cache.org/Support/mailing-lists.html.

For reporting of non-security bugs in the latest STABLE release  
the squid bugzilla database should be used  
http://bugs.squid-cache.org/.

For reporting of security sensitive bugs send an email to the  
squid-bugs@lists.squid-cache.org mailing list. It's a closed  
list (though anyone can post) and security related bug reports  
are treated in confidence until the impact has been established.

**Credits:**

This vulnerability was discovered by LWIC.

Fixed by Amos Jeffries of Treehouse Networks Ltd,  
based on patch by LWIC.

**Revision history:**

2019-03-17 14:24:42 UTC Initial Report  
2022-08-08 12:16:43 UTC Fix Released  
2022-09-23 05:00:00 UTC Advisory Released

END

CVE-2022-41318: SQUID-2022:2 Buffer Over Read in SSPI and SMB Authentication

Hello everyone! This episode will be about Microsoft Patch Tuesday for December 2022, including vulnerabilities that were added between November and December Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239112 But let’s start with an older vulnerability. This will be another example why […]

Hello everyone! This episode will be about Microsoft Patch Tuesday for December 2022, including vulnerabilities that were added between November and December Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities.

Alternative video link (for Russia): https://vk.com/video-149273431\_456239112

But let’s start with an older vulnerability. This will be another example why vulnerability prioritization is a tricky thing and you should patch everything. In the September Microsoft Patch Tuesday there was a vulnerability **Information Disclosure** – SPNEGO Extended Negotiation (NEGOEX) Security Mechanism (CVE-2022-37958), which was completely unnoticed by everyone. Not a single VM vendor paid attention to it in their reviews. I didn’t pay attention either.

**SPNEGO** **(Simple and Protected GSSAPI Negotiation Mechanism)** is a GSSAPI “pseudo mechanism” used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. Who knows what kind of disclosure there might be. This vulnerability had CVSS 7.5 (High), not even Critical.

And then on December 13th, IBM Security X-Force researcher Valentina Palmiotti posts a video exploiting this vulnerability, which turns out to be Remote Code Execution. In this video, a Python script is executed in a Linux virtual machine, and in a Windows 10 virtual machine, the message _“Your PC will automatically restart in one minute”_ appears, which indicates that some code was executed there. The researcher is famous and it is highly unlikely that the video is fake.

It turned out that the vulnerability can be exploited during the authentication attempts. The vulnerability affects various protocols. Primarily RDP and SMB. It may be relevant for SMTP, HTTP and others with a non-standard configuration. So, this vulnerability could potentially be worse than EternalBlue.

Microsoft has made changes to the description of the vulnerability. Now it is Critical RCE. NVD hasn’t made any changes yet. IBM promises not to release details until the second quarter of 2023 to give people time to patch.

Now let’s look at the most interesting vulnerabilities of Microsoft Patch Tuesday for December 2022.

    $ cat comments_links.txt 
    Qualys|December 2022 Patch Tuesday|https://blog.qualys.com/vulnerabilities-threat-research/patch-tuesday/2022/12/13/the-december-2022-patch-tuesday-security-update-review
    ZDI|THE DECEMBER 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/12/13/the-december-2022-security-update-review
    
    $ python3.8 process_classify_ms_products.py  # Automated classifier for Microsoft products
    
    $ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "December" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
    ...
    Creating Patch Tuesday profile...
    MS PT Year: 2022
    MS PT Month: December
    MS PT Date: 2022-12-13
    MS PT CVEs found: 49
    Ext MS PT Date from: 2022-11-09
    Ext MS PT Date to: 2022-12-12
    Ext MS PT CVEs found: 32
    ALL MS PT CVEs: 81
    ...

*   All vulnerabilities: 80
*   Urgent: 0
*   Critical: 3
*   High: 29
*   Medium: 48
*   Low: 0

There were 2 vulnerabilities with signs of exploitation in the wild:

1.  **Security Feature Bypass** – Windows SmartScreen (CVE-2022-44698). It is a bypass of the Windows SmartScreen security feature, and has been seen exploited in the wild. It allows attackers to craft documents that won’t get tagged with Microsoft’s “Mark of the Web” despite being downloaded from untrusted sites. Exploitation in the wild is mentioned on Vulners (cisa\_kev object), AttackerKB, Microsoft websites. The existence of a public exploit is mentioned in Microsoft CVSS Temporal Score (Functional Exploit). To be honest, I do not consider these warnings from the operating system to be effective. Therefore, this vulnerability does not seem very critical to me. I think an Antivirus or EDR solution should block suspicious files from running in the first place.
2.  **Memory Corruption** – Microsoft Edge (CVE-2022-4135, CVE-2022-4262). Exploitation in the wild is mentioned on Vulners (cisa\_kev object), AttackerKB websites. CVE-2022-4135: Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High). CVE-2022-4262: Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Among other vulnerabilities without public exploits and signs of exploitation in the wild, it makes sense to pay attention to the following:

1.  **Remote Code Execution** – Microsoft PowerShell (CVE-2022-41076). This critical vulnerability affects PowerShell where any authenticate user, regardless of its privilege could escape the PowerShell Remoting Session Configuration and run unapproved commands on the target system. It is worth mentioning that, typically after the initial breach, attackers use the tools available on the system to keep the preserve or advance around a network, and PowerShell is one of the more capable tools they can find. 
2.  **Remote Code Execution** – Windows Secure Socket Tunneling Protocol (SSTP) (CVE-2022-44670, CVE-2022-44676). This critical vulnerability affects Windows Secure Socket Tunneling Protocol (SSTP), and according to Microsoft, an attacker would need to win a race condition to successfully exploit these bugs. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine. If you do not have this service, disable it. 
3.  Among the **Elevation of Privilege** vulnerabilities, I would like to highlight a vulnerability in DirectX Graphics Kernel (CVE-2022-44710) and Windows Print Spooler (CVE-2022-44678, CVE-2022-44681).

Full Vulristics report: ms\_patch\_tuesday\_december2022

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Microsoft Patch Tuesday December 2022: SPNEGO RCE, Mark of the Web Bypass, Edge Memory Corruptions

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1could allow a non-privileged local user to exploit a vulnerability in the AIX SMB client to cause a denial of service. IBM X-Force ID: 238639.

**Security Bulletin**

  

**Summary**

A vulnerability in the AIX SMB client daemon could allow a non-privileged local user to cause a denial of service (CVE-2022-43381). AIX uses the SMB client daemon to access files on SMB servers.

**Vulnerability Details**

**CVEID:**   CVE-2022-43381  
**DESCRIPTION:**   IBM AIX could allow a non-privileged local user to exploit a vulnerability in the AIX SMB client to cause a denial of service.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238639 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

AIX

7.1

AIX

7.2

AIX

7.3

VIOS

3.1

The following fileset levels are vulnerable:

Fileset

Lower Level

Upper Level

smbc.rte

7.1.0.0

7.1.302.8

smbc.rte

7.2.0.0

7.2.302.8

To determine if your system is vulnerable, execute the following commands:

lslpp -L | grep -i smbc.rte

  

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

14 Dec 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSPHKW","label":"PowerVM Virtual I\\/O Server"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"7.1,7.2,7.3","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}\]

CVE-2022-43381: Security Bulletin: AIX is vulnerable to a denial of service due to the AIX SMB client (CVE-2022-43381)

An issue was discovered in ksmbd in the Linux kernel before 5.19.2. There is an out-of-bounds read and OOPS for SMB2_WRITE, when there is a large length in the zero DataOffset case.

Permalink

Browse files

ksmbd: prevent out of bound read for SMB2\_WRITE

OOB read memory can be written to a file,
if DataOffset is 0 and Length is too large
in SMB2\_WRITE request of compound request.

To prevent this, when checking the length of
the data area of SMB2\_WRITE in smb2\_get\_data\_area\_len(),
let the minimum of DataOffset be the size of
SMB2 header + the size of SMB2\_WRITE header.

This bug can lead an oops looking something like:

\[  798.008715\] BUG: KASAN: slab-out-of-bounds in copy\_page\_from\_iter\_atomic+0xd3d/0x14b0
\[  798.008724\] Read of size 252 at addr ffff88800f863e90 by task kworker/0:2/2859
...
\[  798.008754\] Call Trace:
\[  798.008756\]  <TASK>
\[  798.008759\]  dump\_stack\_lvl+0x49/0x5f
\[  798.008764\]  print\_report.cold+0x5e/0x5cf
\[  798.008768\]  ? \_\_filemap\_get\_folio+0x285/0x6d0
\[  798.008774\]  ? copy\_page\_from\_iter\_atomic+0xd3d/0x14b0
\[  798.008777\]  kasan\_report+0xaa/0x120
\[  798.008781\]  ? copy\_page\_from\_iter\_atomic+0xd3d/0x14b0
\[  798.008784\]  kasan\_check\_range+0x100/0x1e0
\[  798.008788\]  memcpy+0x24/0x60
\[  798.008792\]  copy\_page\_from\_iter\_atomic+0xd3d/0x14b0
\[  798.008795\]  ? pagecache\_get\_page+0x53/0x160
\[  798.008799\]  ? iov\_iter\_get\_pages\_alloc+0x1590/0x1590
\[  798.008803\]  ? ext4\_write\_begin+0xfc0/0xfc0
\[  798.008807\]  ? current\_time+0x72/0x210
\[  798.008811\]  generic\_perform\_write+0x2c8/0x530
\[  798.008816\]  ? filemap\_fdatawrite\_wbc+0x180/0x180
\[  798.008820\]  ? down\_write+0xb4/0x120
\[  798.008824\]  ? down\_write\_killable+0x130/0x130
\[  798.008829\]  ext4\_buffered\_write\_iter+0x137/0x2c0
\[  798.008833\]  ext4\_file\_write\_iter+0x40b/0x1490
\[  798.008837\]  ? \_\_fsnotify\_parent+0x275/0xb20
\[  798.008842\]  ? \_\_fsnotify\_update\_child\_dentry\_flags+0x2c0/0x2c0
\[  798.008846\]  ? ext4\_buffered\_write\_iter+0x2c0/0x2c0
\[  798.008851\]  \_\_kernel\_write+0x3a1/0xa70
\[  798.008855\]  ? \_\_x64\_sys\_preadv2+0x160/0x160
\[  798.008860\]  ? security\_file\_permission+0x4a/0xa0
\[  798.008865\]  kernel\_write+0xbb/0x360
\[  798.008869\]  ksmbd\_vfs\_write+0x27e/0xb90 \[ksmbd\]
\[  798.008881\]  ? ksmbd\_vfs\_read+0x830/0x830 \[ksmbd\]
\[  798.008892\]  ? \_raw\_read\_unlock+0x2a/0x50
\[  798.008896\]  smb2\_write+0xb45/0x14e0 \[ksmbd\]
\[  798.008909\]  ? \_\_kasan\_check\_write+0x14/0x20
\[  798.008912\]  ? \_raw\_spin\_lock\_bh+0xd0/0xe0
\[  798.008916\]  ? smb2\_read+0x15e0/0x15e0 \[ksmbd\]
\[  798.008927\]  ? memcpy+0x4e/0x60
\[  798.008931\]  ? \_raw\_spin\_unlock+0x19/0x30
\[  798.008934\]  ? ksmbd\_smb2\_check\_message+0x16af/0x2350 \[ksmbd\]
\[  798.008946\]  ? \_raw\_spin\_lock\_bh+0xe0/0xe0
\[  798.008950\]  handle\_ksmbd\_work+0x30e/0x1020 \[ksmbd\]
\[  798.008962\]  process\_one\_work+0x778/0x11c0
\[  798.008966\]  ? \_raw\_spin\_lock\_irq+0x8e/0xe0
\[  798.008970\]  worker\_thread+0x544/0x1180
\[  798.008973\]  ? \_\_cpuidle\_text\_end+0x4/0x4
\[  798.008977\]  kthread+0x282/0x320
\[  798.008982\]  ? process\_one\_work+0x11c0/0x11c0
\[  798.008985\]  ? kthread\_complete\_and\_exit+0x30/0x30
\[  798.008989\]  ret\_from\_fork+0x1f/0x30
\[  798.008995\]  </TASK>

Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17817
Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

*   Loading branch information

CVE-2022-47943: ksmbd: prevent out of bound read for SMB2_WRITE · torvalds/linux@ac60778

Securing videoconferencing solutions is just one of many IT security challenges small businesses are facing, often with limited financial and human resources.

It's no secret that the acceleration of work-from-home and distributed workforce trends — infamously spurred on by the pandemic — has occurred in tandem with the rise of video communications and collaboration platforms, led by Zoom, Microsoft, and Cisco.

But given that videoconferencing now plays a critical role in how businesses interact with their employees, customers, clients, vendors, and others, these platforms carry significant potential security risks, researchers say.

Organizations use videoconferencing to discuss M&A, legal, military, healthcare, intellectual property and other topics, and even corporate strategies. A loss of that data could be catastrophic for a company, its employees, its clients, and its customers.

However, a recent Aite-Novarica Group report on videoconferencing security showed that 93% of IT professionals surveyed acknowledged security vulnerabilities and gaping risks in their videoconferencing solutions.

Among the most relevant risks is the lack of controlled access to conversations that could result in disruption, sabotage, compromise, or exposure of sensitive information, while use of nonsecure, outdated, or unpatched videoconferencing applications can expose security flaws.

"The risks include the potential for interruptions, unauthorized access, and perhaps most concerning, the opportunity for a bad actor to acquire sensitive information," says Craig Lurey, CTO and co-founder at Keeper Security.

**Threats Targeting Video Communications Platforms Multiply**

The use of videoconferencing software by remote workers makes it an easy target for various types of attacks in the wild. For instance, "Zoom-bombing" and other attacks came to the fore in the wake of the first work-from-home wave during the pandemic.

Other threats include DDoS attacks, according to the FBI's Internet Crime Report, and malware. In May, for instance, threat hunters discovered a vulnerability chain in Zoom's chat functionality that could be exploited to allow zero-click remote code execution (RCE).

Security firm Vectra also recently discovered a vulnerability in Microsoft Teams, which found that the platform stores authentication tokens unencrypted, allowing any user to access the secrets file without the need for special permissions. The weakness gives attackers the ability to move through a company’s network much more easily.

But while zero-day exploits and other high-profile attacks get a lot of attention, Mike Parkin, senior technical engineer at Vulcan Cyber points out that many, if not most, attacks still target the users.

"That usually means phishing emails or other social engineering attacks that lead to compromise, or business email compromise attacks that can lead to direct losses through fraud," he says.

**SMBs at Particular Risk From Videoconferencing Threats**

The risk is especially piquant for small and medium-sized businesses (SMBs), researchers say. This segment relied heavily on video collaboration to cut travel costs even before the pandemic, and now represents a class of superusers.

At the same time, SMBs may not have the security awareness or in-house expertise necessary to shore up their defenses. Parkin says SMBs often wrestle to implement and manage a proper cybersecurity program.

"That lack of resources can manifest in not knowing, or being able to implement, proper security on their videoconferencing usage," he says.

George Waller, co-founder and executive vice president of Zerify, agrees that SMBs typically don't have the financial and technical resources that larger companies have.

"Therefore, they are far more vulnerable to even the most basic attacks such as email, phishing and ransomware," he says. "Post-pandemic, many SMBs are still working with limited staff and budgets. Therefore, it's easier to trip them up and cause a devastating data breach."

Meanwhile, this sector often faces financial constraints that could make a cyberattack an extinction-level event. According to a recent IBM breach report, the average size of a data breach in the US is now $9.44 million, and 60% of small businesses go out of business within six months of a data breach.

"When cybercriminals steal sensitive, confidential, or classified data, they can make you pay a ransom to get it back," Waller explains. "They can also sell it to other nefarious people, who can use that data to embarrass or profit from your organization."

Unfortunately, amid the challenges, SMBs are often more of a target than they realize.

"While an attacker’s potential take is smaller, the effort is low, the risk is low, and SMB organizations often have less investment in cybersecurity than a larger organization," Parkin explains. "They can be particularly susceptible to ransomware and business email compromise attacks."

**2FA, Zero Trust Help Secure Video Conferencing**

Fortunately, there are some basic steps that businesses of any size can take to ensure the videoconferencing system they're using doesn't fall into the "low-hanging fruit" category for cybercriminals.

For one, they should ensure their platforms and apps offer two-factor authentication (2FA) for both the meeting creator as well as for the meeting participant, and make sure that login links cannot be shared; most videoconferencing platforms have such basic security features and offer advice on how to use them.

Ricardo Villadiego, CEO and founder of Lumu, says businesses for instance should enable security features such as ID and password and end-to-end encryption that allow SMBs to control access to conversations.

"Avoid repeating passwords, lock down microphones and speakers, and authenticate every user prior to entering a videoconference," he says. "Limit the kind of files and links that can be shared via videoconferencing tools, keep meeting recordings only accessible with a password, and don't discuss information that you wouldn't discuss over the telephone."

Waller adds that snooping on video calls via spyware is a threat that SMBs should be aware of, too.

"Make sure that your camera, microphone, and audio-out data streams are locked down and cannot be spied on with malware," he says. "Organizations should also use an anti-keylogging and anti-screen scraping technology and make sure that AV software is up to date."

Lurey, meanwhile, advises SMBs to protect videoconferencing platforms with a zero-trust security architecture that requires all users be authenticated, authorized, and continuously validated before they can access the application.

"Choose a provider wisely and check that it provides end-to-end encryption," he says. "Most major platforms do."

He adds that it's also imperative to configure the platform correctly by enabling built-in security capabilities and providing consistent enforcement to ensure those security features are never disabled.

Finally, Parkin advises that there are other vulnerabilities in some videoconferencing platforms that require specific steps to counter and stresses the importance of keeping the videoconferencing software up to date. Security teams should also proactively monitor network behavior for anomalous activity and make sure to read terms and conditions of the videoconferencing platform being used.

He adds that with a changing threat landscape, the challenge for SMBs in particular is finding the balance between defending against known threats, being positioned to stay ahead of emerging ones, and managing the risk specific to their environment.

"Small businesses are often resource restricted when it comes to cybersecurity, which means they need to be efficient with the resources they do have," he says. "But focusing on things like user education, which can deliver a lot of value for the investment, can help."

Videoconferencing Worries Grow, With SMBs in Cyberattack Crosshairs

An issue was discovered in ksmbd in the Linux kernel before 5.19.2. There is a heap-based buffer overflow in set_ntacl_dacl, related to use of SMB2_QUERY_INFO_HE after a malformed SMB2_SET_INFO_HE command.

Permalink

Browse files

ksmbd: fix heap-based overflow in set\_ntacl\_dacl()

The testcase use SMB2\_SET\_INFO\_HE command to set a malformed file attribute
under the label \`security.NTACL\`. SMB2\_QUERY\_INFO\_HE command in testcase
trigger the following overflow.

\[ 4712.003781\] ==================================================================
\[ 4712.003790\] BUG: KASAN: slab-out-of-bounds in build\_sec\_desc+0x842/0x1dd0 \[ksmbd\]
\[ 4712.003807\] Write of size 1060 at addr ffff88801e34c068 by task kworker/0:0/4190

\[ 4712.003813\] CPU: 0 PID: 4190 Comm: kworker/0:0 Not tainted 5.19.0-rc5 #1
\[ 4712.003850\] Workqueue: ksmbd-io handle\_ksmbd\_work \[ksmbd\]
\[ 4712.003867\] Call Trace:
\[ 4712.003870\]  <TASK>
\[ 4712.003873\]  dump\_stack\_lvl+0x49/0x5f
\[ 4712.003935\]  print\_report.cold+0x5e/0x5cf
\[ 4712.003972\]  ? ksmbd\_vfs\_get\_sd\_xattr+0x16d/0x500 \[ksmbd\]
\[ 4712.003984\]  ? cmp\_map\_id+0x200/0x200
\[ 4712.003988\]  ? build\_sec\_desc+0x842/0x1dd0 \[ksmbd\]
\[ 4712.004000\]  kasan\_report+0xaa/0x120
\[ 4712.004045\]  ? build\_sec\_desc+0x842/0x1dd0 \[ksmbd\]
\[ 4712.004056\]  kasan\_check\_range+0x100/0x1e0
\[ 4712.004060\]  memcpy+0x3c/0x60
\[ 4712.004064\]  build\_sec\_desc+0x842/0x1dd0 \[ksmbd\]
\[ 4712.004076\]  ? parse\_sec\_desc+0x580/0x580 \[ksmbd\]
\[ 4712.004088\]  ? ksmbd\_acls\_fattr+0x281/0x410 \[ksmbd\]
\[ 4712.004099\]  smb2\_query\_info+0xa8f/0x6110 \[ksmbd\]
\[ 4712.004111\]  ? psi\_group\_change+0x856/0xd70
\[ 4712.004148\]  ? update\_load\_avg+0x1c3/0x1af0
\[ 4712.004152\]  ? asym\_cpu\_capacity\_scan+0x5d0/0x5d0
\[ 4712.004157\]  ? xas\_load+0x23/0x300
\[ 4712.004162\]  ? smb2\_query\_dir+0x1530/0x1530 \[ksmbd\]
\[ 4712.004173\]  ? \_raw\_spin\_lock\_bh+0xe0/0xe0
\[ 4712.004179\]  handle\_ksmbd\_work+0x30e/0x1020 \[ksmbd\]
\[ 4712.004192\]  process\_one\_work+0x778/0x11c0
\[ 4712.004227\]  ? \_raw\_spin\_lock\_irq+0x8e/0xe0
\[ 4712.004231\]  worker\_thread+0x544/0x1180
\[ 4712.004234\]  ? \_\_cpuidle\_text\_end+0x4/0x4
\[ 4712.004239\]  kthread+0x282/0x320
\[ 4712.004243\]  ? process\_one\_work+0x11c0/0x11c0
\[ 4712.004246\]  ? kthread\_complete\_and\_exit+0x30/0x30
\[ 4712.004282\]  ret\_from\_fork+0x1f/0x30

This patch add the buffer validation for security descriptor that is
stored by malformed SMB2\_SET\_INFO\_HE command. and allocate large
response buffer about SMB2\_O\_INFO\_SECURITY file info class.

Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17771
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

*   Loading branch information

CVE-2022-47942: ksmbd: fix heap-based overflow in set_ntacl_dacl() · torvalds/linux@8f05411

An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs/ksmbd/smb2pdu.c omits a kfree call in certain smb2_handle_negotiate error conditions, aka a memory leak.

Browse files

ksmbd: fix memory leak in smb2\_handle\_negotiate

The allocated memory didn't free under an error
path in smb2\_handle\_negotiate().

Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17815
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

*   Loading branch information

namjaejeon authored and Steve French committed

Aug 1, 2022

1 parent af7c39d commit aa7253c2393f6dcd6a1468b0792f6da76edad917

CVE-2022-47941: ksmbd: fix memory leak in smb2_handle_negotiate · torvalds/linux@aa7253c

An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.

Permalink

Browse files

ksmbd: fix use-after-free bug in smb2\_tree\_disconect

smb2\_tree\_disconnect() freed the struct ksmbd\_tree\_connect,
but it left the dangling pointer. It can be accessed
again under compound requests.

This bug can lead an oops looking something link:

\[ 1685.468014 \] BUG: KASAN: use-after-free in ksmbd\_tree\_conn\_disconnect+0x131/0x160 \[ksmbd\]
\[ 1685.468068 \] Read of size 4 at addr ffff888102172180 by task kworker/1:2/4807
...
\[ 1685.468130 \] Call Trace:
\[ 1685.468132 \]  <TASK>
\[ 1685.468135 \]  dump\_stack\_lvl+0x49/0x5f
\[ 1685.468141 \]  print\_report.cold+0x5e/0x5cf
\[ 1685.468145 \]  ? ksmbd\_tree\_conn\_disconnect+0x131/0x160 \[ksmbd\]
\[ 1685.468157 \]  kasan\_report+0xaa/0x120
\[ 1685.468194 \]  ? ksmbd\_tree\_conn\_disconnect+0x131/0x160 \[ksmbd\]
\[ 1685.468206 \]  \_\_asan\_report\_load4\_noabort+0x14/0x20
\[ 1685.468210 \]  ksmbd\_tree\_conn\_disconnect+0x131/0x160 \[ksmbd\]
\[ 1685.468222 \]  smb2\_tree\_disconnect+0x175/0x250 \[ksmbd\]
\[ 1685.468235 \]  handle\_ksmbd\_work+0x30e/0x1020 \[ksmbd\]
\[ 1685.468247 \]  process\_one\_work+0x778/0x11c0
\[ 1685.468251 \]  ? \_raw\_spin\_lock\_irq+0x8e/0xe0
\[ 1685.468289 \]  worker\_thread+0x544/0x1180
\[ 1685.468293 \]  ? \_\_cpuidle\_text\_end+0x4/0x4
\[ 1685.468297 \]  kthread+0x282/0x320
\[ 1685.468301 \]  ? process\_one\_work+0x11c0/0x11c0
\[ 1685.468305 \]  ? kthread\_complete\_and\_exit+0x30/0x30
\[ 1685.468309 \]  ret\_from\_fork+0x1f/0x30

Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17816
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

*   Loading branch information

CVE-2022-47939: ksmbd: fix use-after-free bug in smb2_tree_disconect · torvalds/linux@cf6531d

An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2_TREE_CONNNECT.

CVE-2022-47938

An issue was discovered in ksmbd in the Linux kernel before 5.18.18. fs/ksmbd/smb2pdu.c lacks length validation in the non-padding case in smb2_write.

Permalink

Browse files

ksmbd: validate length in smb2\_write()

The SMB2 Write packet contains data that is to be written
to a file or to a pipe. Depending on the client, there may
be padding between the header and the data field.
Currently, the length is validated only in the case padding
is present.

Since the DataOffset field always points to the beginning
of the data, there is no need to have a special case for
padding. By removing this, the length is validated in both
cases.

Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

*   Loading branch information

Tag

#samba