SUSE SLES12 Security Update : kernel (SUSE-SU-2021:3723-1)
high Nessus Plugin ID 155577
Language:
Synopsis
The remote SUSE host is missing one or more security updates.Description
The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3723-1 advisory.- The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)
- The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. (CVE-2021-33033)
- In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack. (CVE-2021-34556)
- ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-42739. Reason: This candidate is a reservation duplicate of CVE-2021-42739. Notes: All CVE users should reference CVE-2021-42739 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. (CVE-2021-3542)
- In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value.
(CVE-2021-35477)
- A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)
- kernel: use-after-free in route4_change() in net/sched/cls_route.c (CVE-2021-3715)
- hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.
(CVE-2021-37159)
- prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel through 5.14.9 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write. (CVE-2021-41864)
- The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.
(CVE-2021-42008)
- An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes. (CVE-2021-42252)
- The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking. (CVE-2021-42739)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
https://bugzilla.suse.com/1050549
https://bugzilla.suse.com/1065729
https://bugzilla.suse.com/1085030
https://bugzilla.suse.com/1094840
https://bugzilla.suse.com/1114648
https://bugzilla.suse.com/1180624
https://bugzilla.suse.com/1184673
https://bugzilla.suse.com/1186063
https://bugzilla.suse.com/1186109
https://bugzilla.suse.com/1188563
https://bugzilla.suse.com/1188601
https://bugzilla.suse.com/1188983
https://bugzilla.suse.com/1188985
https://bugzilla.suse.com/1190006
https://bugzilla.suse.com/1190067
https://bugzilla.suse.com/1190317
https://bugzilla.suse.com/1190349
https://bugzilla.suse.com/1190351
https://bugzilla.suse.com/1190479
https://bugzilla.suse.com/1190620
https://bugzilla.suse.com/1190795
https://bugzilla.suse.com/1190941
https://bugzilla.suse.com/1191241
https://bugzilla.suse.com/1191315
https://bugzilla.suse.com/1191317
https://bugzilla.suse.com/1191349
https://bugzilla.suse.com/1191450
https://bugzilla.suse.com/1191452
https://bugzilla.suse.com/1191455
https://bugzilla.suse.com/1191500
https://bugzilla.suse.com/1191579
https://bugzilla.suse.com/1191628
https://bugzilla.suse.com/1191662
https://bugzilla.suse.com/1191667
https://bugzilla.suse.com/1191713
https://bugzilla.suse.com/1191801
https://bugzilla.suse.com/1192145
https://bugzilla.suse.com/1192379
http://www.nessus.org/u?7f8987e7
https://www.suse.com/security/cve/CVE-2018-13405
https://www.suse.com/security/cve/CVE-2021-33033
https://www.suse.com/security/cve/CVE-2021-34556
https://www.suse.com/security/cve/CVE-2021-3542
https://www.suse.com/security/cve/CVE-2021-35477
https://www.suse.com/security/cve/CVE-2021-3655
https://www.suse.com/security/cve/CVE-2021-3715
https://www.suse.com/security/cve/CVE-2021-37159
https://www.suse.com/security/cve/CVE-2021-3760
https://www.suse.com/security/cve/CVE-2021-3772
https://www.suse.com/security/cve/CVE-2021-41864
https://www.suse.com/security/cve/CVE-2021-42008
Plugin Details
Severity: High
ID: 155577
File Name: suse_SU-2021-3723-1.nasl
Version: 1.4
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 11/18/2021
Updated: 2/28/2022
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent
Risk Information
VPR
Risk Factor: High
Score: 7.4
CVSS v2
Risk Factor: High
Base Score: 7.2
Temporal Score: 5.6
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Temporal Vector: E:POC/RL:OF/RC:C
CVSS Score Source: CVE-2021-3760
CVSS v3
Risk Factor: High
Base Score: 7.8
Temporal Score: 7
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: E:P/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt, p-cpe:/a:novell:suse_linux:dlm-kmp-rt, p-cpe:/a:novell:suse_linux:gfs2-kmp-rt, p-cpe:/a:novell:suse_linux:kernel-devel-rt, p-cpe:/a:novell:suse_linux:kernel-rt, p-cpe:/a:novell:suse_linux:kernel-rt-base, p-cpe:/a:novell:suse_linux:kernel-rt-devel, p-cpe:/a:novell:suse_linux:kernel-rt_debug, p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel, p-cpe:/a:novell:suse_linux:kernel-source-rt, p-cpe:/a:novell:suse_linux:kernel-syms-rt, p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt, cpe:/o:novell:suse_linux:12
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 11/17/2021
Vulnerability Publication Date: 7/6/2018
Reference Information
CVE: CVE-2018-13405, CVE-2021-3542, CVE-2021-3655, CVE-2021-3715, CVE-2021-3760, CVE-2021-3772, CVE-2021-33033, CVE-2021-34556, CVE-2021-35477, CVE-2021-37159, CVE-2021-41864, CVE-2021-42008, CVE-2021-42252, CVE-2021-42739
SuSE: SUSE-SU-2021:3723-1