SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2021:3748-1)

high Nessus Plugin ID 155648

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED12 / SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3748-1 advisory.

- The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)

- The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. (CVE-2021-33033)

- In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack. (CVE-2021-34556)

- ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-42739. Reason: This candidate is a reservation duplicate of CVE-2021-42739. Notes: All CVE users should reference CVE-2021-42739 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. (CVE-2021-3542)

- In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value.
(CVE-2021-35477)

- A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)

- kernel: use-after-free in route4_change() in net/sched/cls_route.c (CVE-2021-3715)

- hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.
(CVE-2021-37159)

- prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel through 5.14.9 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write. (CVE-2021-41864)

- The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.
(CVE-2021-42008)

- An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes. (CVE-2021-42252)

- The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking. (CVE-2021-42739)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1050549

https://bugzilla.suse.com/1065729

https://bugzilla.suse.com/1085030

https://bugzilla.suse.com/1114648

https://bugzilla.suse.com/1180624

https://bugzilla.suse.com/1184673

https://bugzilla.suse.com/1186063

https://bugzilla.suse.com/1186109

https://bugzilla.suse.com/1188563

https://bugzilla.suse.com/1188601

https://bugzilla.suse.com/1188983

https://bugzilla.suse.com/1188985

https://bugzilla.suse.com/1190006

https://bugzilla.suse.com/1190067

https://bugzilla.suse.com/1190317

https://bugzilla.suse.com/1190349

https://bugzilla.suse.com/1190397

https://bugzilla.suse.com/1190479

https://bugzilla.suse.com/1190620

https://bugzilla.suse.com/1190795

https://bugzilla.suse.com/1190941

https://bugzilla.suse.com/1191241

https://bugzilla.suse.com/1191315

https://bugzilla.suse.com/1191317

https://bugzilla.suse.com/1191349

https://bugzilla.suse.com/1191450

https://bugzilla.suse.com/1191452

https://bugzilla.suse.com/1191455

https://bugzilla.suse.com/1191500

https://bugzilla.suse.com/1191579

https://bugzilla.suse.com/1191628

https://bugzilla.suse.com/1191662

https://bugzilla.suse.com/1191667

https://bugzilla.suse.com/1191713

https://bugzilla.suse.com/1191801

https://bugzilla.suse.com/1191888

https://bugzilla.suse.com/1192145

https://bugzilla.suse.com/1192267

https://lists.suse.com/pipermail/sle-updates/2021-November/020791.html

https://www.suse.com/security/cve/CVE-2018-13405

https://www.suse.com/security/cve/CVE-2021-33033

https://www.suse.com/security/cve/CVE-2021-34556

https://www.suse.com/security/cve/CVE-2021-3542

https://www.suse.com/security/cve/CVE-2021-35477

https://www.suse.com/security/cve/CVE-2021-3655

https://www.suse.com/security/cve/CVE-2021-3715

https://www.suse.com/security/cve/CVE-2021-37159

https://www.suse.com/security/cve/CVE-2021-3760

https://www.suse.com/security/cve/CVE-2021-41864

https://www.suse.com/security/cve/CVE-2021-42008

https://www.suse.com/security/cve/CVE-2021-42252

https://www.suse.com/security/cve/CVE-2021-42739

Plugin Details

Severity: High

ID: 155648

File Name: suse_SU-2021-3748-1.nasl

Version: 1.4

Type: local

Agent: unix

Published: 11/20/2021

Updated: 2/28/2022

Supported Sensors: Nessus Agent

Risk Information

CVSS Score Source: CVE-2021-3760

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:cluster-md-kmp-default, p-cpe:/a:novell:suse_linux:dlm-kmp-default, p-cpe:/a:novell:suse_linux:gfs2-kmp-default, p-cpe:/a:novell:suse_linux:kernel-default, p-cpe:/a:novell:suse_linux:kernel-default-base, p-cpe:/a:novell:suse_linux:kernel-default-devel, p-cpe:/a:novell:suse_linux:kernel-default-extra, p-cpe:/a:novell:suse_linux:kernel-default-kgraft, p-cpe:/a:novell:suse_linux:kernel-default-kgraft-devel, p-cpe:/a:novell:suse_linux:kernel-default-man, p-cpe:/a:novell:suse_linux:kernel-devel, p-cpe:/a:novell:suse_linux:kernel-macros, p-cpe:/a:novell:suse_linux:kernel-obs-build, p-cpe:/a:novell:suse_linux:kernel-source, p-cpe:/a:novell:suse_linux:kernel-syms, p-cpe:/a:novell:suse_linux:kgraft-patch-4_12_14-122_98-default, p-cpe:/a:novell:suse_linux:ocfs2-kmp-default, cpe:/o:novell:suse_linux:12

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/19/2021

Vulnerability Publication Date: 7/6/2018

Reference Information

CVE: CVE-2018-13405, CVE-2021-3542, CVE-2021-3655, CVE-2021-3715, CVE-2021-3760, CVE-2021-33033, CVE-2021-34556, CVE-2021-35477, CVE-2021-37159, CVE-2021-41864, CVE-2021-42008, CVE-2021-42252, CVE-2021-42739

SuSE: SUSE-SU-2021:3748-1