Bug 2258518 (CVE-2024-0565)

Summary: CVE-2024-0565 kernel: CIFS Filesystem Decryption Improper Input Validation Remote Code Execution Vulnerability in function receive_encrypted_standard of client
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mmilgram, mstowell, nmurray, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, tglozar, tyberry, vkumar, wcosta, williams, wmealing, xifeng, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Kernel 6.7-rc6 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux Kernel. This issue occurs due to integer underflow on the memcpy length, leading to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2258517    

Description Rohit Keshri 2024-01-15 19:20:38 UTC 
Linux Kernel CIFS Filesystem Decryption Improper Input Validation Remote Code Execution Vulnerability.

This case affected the cifs.ko, which is linux CIFS file system module, the client side of the CIFS didn't validate the `NextCommand` field, which is controlled from server side, it leads to DoS (due to OOB read on the memcpy source buffer) and wild copy (due to integer underflow on the memcpy length), both results are caused by the `NextCommand` without validation, that's why they merged into same case

Reference;
https://www.spinics.net/lists/stable-commits/msg328851.html
Comment 14 errata-xmlrpc 2024-03-06 12:37:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:1188 https://access.redhat.com/errata/RHSA-2024:1188
Comment 16 errata-xmlrpc 2024-03-19 17:27:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1404 https://access.redhat.com/errata/RHSA-2024:1404
Comment 17 errata-xmlrpc 2024-03-27 00:11:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1533 https://access.redhat.com/errata/RHSA-2024:1533
Comment 18 errata-xmlrpc 2024-03-27 00:18:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1532 https://access.redhat.com/errata/RHSA-2024:1532
Comment 19 errata-xmlrpc 2024-04-02 15:55:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1607 https://access.redhat.com/errata/RHSA-2024:1607
Comment 20 errata-xmlrpc 2024-04-02 17:21:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1614 https://access.redhat.com/errata/RHSA-2024:1614
Comment 23 errata-xmlrpc 2024-04-30 10:15:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394