SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:2738-1)

critical Nessus Plugin ID 130163

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 7.4

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The SUSE Linux Enterprise 15 SP1 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2019-14835: A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could have used this flaw to increase their privileges on the host (bnc#1150112).

CVE-2019-15216: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver (bnc#1146361).

CVE-2019-15924: fm10k_init_module in drivers/net/ethernet/intel/fm10k/fm10k_main.c had a NULL pointer dereference because there was no -ENOMEM upon an alloc_workqueue failure (bnc#1149612).

CVE-2019-9456: In the Pixel C USB monitor driver there was a possible OOB write due to a missing bounds check. This could have led to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1150025).

CVE-2019-15031: In the Linux kernel on the powerpc platform, a local user could have read vector registers of other users' processes via an interrupt. To exploit the vulnerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSR_TM_ACTIVE was misused in arch/powerpc/kernel/process.c (bnc#1149713).

CVE-2019-15030: In the Linux kernel on the powerpc platform, a local user could have read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check (bnc#1149713).

CVE-2019-15920: SMB2_read in fs/cifs/smb2pdu.c had a use-after-free.
(bnc#1149626).

CVE-2019-15921: There was a memory leak issue when idr_alloc() fails in genl_register_family() in net/netlink/genetlink.c (bnc#1149602).

CVE-2018-21008: A use-after-free could have been caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c (bnc#1149591).

CVE-2019-15919: SMB2_write in fs/cifs/smb2pdu.c had a use-after-free (bnc#1149552).

CVE-2019-15917: There was a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c (bnc#1149539).

CVE-2019-15926: An out-of-bounds access existed in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx in the file drivers/net/wireless/ath/ath6kl/wmi.c (bnc#1149527).

CVE-2019-15927: An out-of-bounds access existed in the function build_audio_procunit in the file sound/usb/mixer.c (bnc#1149522).

CVE-2019-15902: Misuse of the upstream 'x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()' commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped (bnc#1149376).

CVE-2019-15666: There was an out-of-bounds array access in
__xfrm_policy_unlink, which will cause denial of service, because verify_newpolicy_info in net/xfrm/xfrm_user.c mishandled directory validation (bnc#1148394).

CVE-2019-15219: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver (bnc#1146524).

CVE-2019-14814: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146512).

CVE-2019-14815: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code.
(bsc#1146514)

CVE-2019-14816: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146516).

CVE-2019-15220: There was a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver (bnc#1146526).

CVE-2019-15538: An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS (bnc#1148093).

- Update reference for ath6kl fix (CVE-2019-15290,bsc#1146543).

- Update reference for ath6kl fix (CVE-2019-15290,bsc#1146543).

CVE-2019-15099: drivers/net/wireless/ath/ath10k/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor (bnc#1146368).

CVE-2019-15098: drivers/net/wireless/ath/ath6kl/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor (bnc#1146378).

CVE-2019-15239: An incorrect backport of a certain net/ipv4/tcp_output.c fix allowed a local attacker to trigger multiple use-after-free conditions. This could result in a kernel crash, or potentially in privilege escalation. (bsc#1146589)

CVE-2019-15212: There was a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver (bnc#1146391).

CVE-2019-15292: There was a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c (bnc#1146678).

CVE-2019-15217: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver (bnc#1146547).

CVE-2019-15211: There was a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c did not properly allocate memory (bnc#1146519).

CVE-2019-15214: There was a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c (bnc#1146550).

CVE-2019-15221: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver (bnc#1146529).

CVE-2019-15222: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver (bnc#1146531).

CVE-2019-15218: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver (bnc#1146413).

CVE-2019-15215: There was a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver (bnc#1146425).

CVE-2019-15090: An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the qedi_dbg_* family of functions, there is an out-of-bounds read (bnc#1146399).

CVE-2018-20976: An issue was discovered in fs/xfs/xfs_super.c. A use after free exists, related to xfs_fs_fill_super failure (bnc#1146285).

CVE-2017-18551: An issue was discovered in drivers/i2c/i2c-core-smbus.c. There was an out of bounds write in the function i2c_smbus_xfer_emulated (bnc#1146163).

CVE-2019-15118: check_input_term in sound/usb/mixer.c mishandled recursion, leading to kernel stack exhaustion (bnc#1145922).

CVE-2019-15117: parse_audio_mixer_unit in sound/usb/mixer.c mishandled a short descriptor, leading to out-of-bounds memory access (bnc#1145920).

CVE-2019-10207: Bluetooth/hci_uart was missing a check for tty operations (bsc#1142857).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'.

Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Module for Realtime 15-SP1:zypper in -t patch SUSE-SLE-Module-RT-15-SP1-2019-2738=1

SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1:zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2738=1

Plugin Details

Severity: Critical

ID: 130163

File Name: suse_SU-2019-2738-1.nasl

Version: 1.6

Type: local

Agent: unix

Family: SuSE Local Security Checks

Published: 10/23/2019

Updated: 1/13/2021

Dependencies: ssh_get_info.nasl

Risk Information

Risk Factor: Critical

VPR Score: 7.4

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:H/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt, p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt-debuginfo, p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt_debug, p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt_debug-debuginfo, p-cpe:/a:novell:suse_linux:dlm-kmp-rt, p-cpe:/a:novell:suse_linux:dlm-kmp-rt-debuginfo, p-cpe:/a:novell:suse_linux:dlm-kmp-rt_debug, p-cpe:/a:novell:suse_linux:dlm-kmp-rt_debug-debuginfo, p-cpe:/a:novell:suse_linux:gfs2-kmp-rt, p-cpe:/a:novell:suse_linux:gfs2-kmp-rt-debuginfo, p-cpe:/a:novell:suse_linux:gfs2-kmp-rt_debug, p-cpe:/a:novell:suse_linux:gfs2-kmp-rt_debug-debuginfo, p-cpe:/a:novell:suse_linux:kernel-rt, p-cpe:/a:novell:suse_linux:kernel-rt-base, p-cpe:/a:novell:suse_linux:kernel-rt-base-debuginfo, p-cpe:/a:novell:suse_linux:kernel-rt-debuginfo, p-cpe:/a:novell:suse_linux:kernel-rt-debugsource, p-cpe:/a:novell:suse_linux:kernel-rt-devel, p-cpe:/a:novell:suse_linux:kernel-rt-devel-debuginfo, p-cpe:/a:novell:suse_linux:kernel-rt-extra, p-cpe:/a:novell:suse_linux:kernel-rt-extra-debuginfo, p-cpe:/a:novell:suse_linux:kernel-rt-livepatch, p-cpe:/a:novell:suse_linux:kernel-rt-livepatch-devel, p-cpe:/a:novell:suse_linux:kernel-rt_debug, p-cpe:/a:novell:suse_linux:kernel-rt_debug-base, p-cpe:/a:novell:suse_linux:kernel-rt_debug-base-debuginfo, p-cpe:/a:novell:suse_linux:kernel-rt_debug-debuginfo, p-cpe:/a:novell:suse_linux:kernel-rt_debug-debugsource, p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel, p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel-debuginfo, p-cpe:/a:novell:suse_linux:kernel-rt_debug-extra, p-cpe:/a:novell:suse_linux:kernel-rt_debug-extra-debuginfo, p-cpe:/a:novell:suse_linux:kernel-rt_debug-livepatch, p-cpe:/a:novell:suse_linux:kernel-rt_debug-livepatch-devel, p-cpe:/a:novell:suse_linux:kernel-syms-rt, p-cpe:/a:novell:suse_linux:kselftests-kmp-rt, p-cpe:/a:novell:suse_linux:kselftests-kmp-rt-debuginfo, p-cpe:/a:novell:suse_linux:kselftests-kmp-rt_debug, p-cpe:/a:novell:suse_linux:kselftests-kmp-rt_debug-debuginfo, p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt, p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt-debuginfo, p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt_debug, p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt_debug-debuginfo, p-cpe:/a:novell:suse_linux:reiserfs-kmp-rt, p-cpe:/a:novell:suse_linux:reiserfs-kmp-rt-debuginfo, p-cpe:/a:novell:suse_linux:reiserfs-kmp-rt_debug, p-cpe:/a:novell:suse_linux:reiserfs-kmp-rt_debug-debuginfo, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/22/2019

Vulnerability Publication Date: 8/16/2019

Reference Information

CVE: CVE-2017-18551, CVE-2018-20976, CVE-2018-21008, CVE-2019-10207, CVE-2019-14814, CVE-2019-14815, CVE-2019-14816, CVE-2019-14835, CVE-2019-15030, CVE-2019-15031, CVE-2019-15090, CVE-2019-15098, CVE-2019-15099, CVE-2019-15117, CVE-2019-15118, CVE-2019-15211, CVE-2019-15212, CVE-2019-15214, CVE-2019-15215, CVE-2019-15216, CVE-2019-15217, CVE-2019-15218, CVE-2019-15219, CVE-2019-15220, CVE-2019-15221, CVE-2019-15222, CVE-2019-15239, CVE-2019-15290, CVE-2019-15292, CVE-2019-15538, CVE-2019-15666, CVE-2019-15902, CVE-2019-15917, CVE-2019-15919, CVE-2019-15920, CVE-2019-15921, CVE-2019-15924, CVE-2019-15926, CVE-2019-15927, CVE-2019-9456