SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2021:3748-1)
high Nessus Plugin ID 155648
Language:
Synopsis
The remote SUSE host is missing one or more security updates.Description
The remote SUSE Linux SLED12 / SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3748-1 advisory.- The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)
- The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. (CVE-2021-33033)
- In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack. (CVE-2021-34556)
- ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-42739. Reason: This candidate is a reservation duplicate of CVE-2021-42739. Notes: All CVE users should reference CVE-2021-42739 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. (CVE-2021-3542)
- In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value.
(CVE-2021-35477)
- A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)
- kernel: use-after-free in route4_change() in net/sched/cls_route.c (CVE-2021-3715)
- hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.
(CVE-2021-37159)
- prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel through 5.14.9 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write. (CVE-2021-41864)
- The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.
(CVE-2021-42008)
- An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes. (CVE-2021-42252)
- The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking. (CVE-2021-42739)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
https://bugzilla.suse.com/1050549
https://bugzilla.suse.com/1065729
https://bugzilla.suse.com/1085030
https://bugzilla.suse.com/1114648
https://bugzilla.suse.com/1180624
https://bugzilla.suse.com/1184673
https://bugzilla.suse.com/1186063
https://bugzilla.suse.com/1186109
https://bugzilla.suse.com/1188563
https://bugzilla.suse.com/1188601
https://bugzilla.suse.com/1188983
https://bugzilla.suse.com/1188985
https://bugzilla.suse.com/1190006
https://bugzilla.suse.com/1190067
https://bugzilla.suse.com/1190317
https://bugzilla.suse.com/1190349
https://bugzilla.suse.com/1190397
https://bugzilla.suse.com/1190479
https://bugzilla.suse.com/1190620
https://bugzilla.suse.com/1190795
https://bugzilla.suse.com/1190941
https://bugzilla.suse.com/1191241
https://bugzilla.suse.com/1191315
https://bugzilla.suse.com/1191317
https://bugzilla.suse.com/1191349
https://bugzilla.suse.com/1191450
https://bugzilla.suse.com/1191452
https://bugzilla.suse.com/1191455
https://bugzilla.suse.com/1191500
https://bugzilla.suse.com/1191579
https://bugzilla.suse.com/1191628
https://bugzilla.suse.com/1191662
https://bugzilla.suse.com/1191667
https://bugzilla.suse.com/1191713
https://bugzilla.suse.com/1191801
https://bugzilla.suse.com/1191888
https://bugzilla.suse.com/1192145
https://bugzilla.suse.com/1192267
https://lists.suse.com/pipermail/sle-updates/2021-November/020791.html
https://www.suse.com/security/cve/CVE-2018-13405
https://www.suse.com/security/cve/CVE-2021-33033
https://www.suse.com/security/cve/CVE-2021-34556
https://www.suse.com/security/cve/CVE-2021-3542
https://www.suse.com/security/cve/CVE-2021-35477
https://www.suse.com/security/cve/CVE-2021-3655
https://www.suse.com/security/cve/CVE-2021-3715
https://www.suse.com/security/cve/CVE-2021-37159
https://www.suse.com/security/cve/CVE-2021-3760
https://www.suse.com/security/cve/CVE-2021-41864
https://www.suse.com/security/cve/CVE-2021-42008
Plugin Details
Severity: High
ID: 155648
File Name: suse_SU-2021-3748-1.nasl
Version: 1.4
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 11/20/2021
Updated: 2/28/2022
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent
Risk Information
VPR
Risk Factor: High
Score: 7.4
CVSS v2
Risk Factor: High
Base Score: 7.2
Temporal Score: 5.6
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Temporal Vector: E:POC/RL:OF/RC:C
CVSS Score Source: CVE-2021-3760
CVSS v3
Risk Factor: High
Base Score: 7.8
Temporal Score: 7
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: E:P/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:suse_linux:cluster-md-kmp-default, p-cpe:/a:novell:suse_linux:dlm-kmp-default, p-cpe:/a:novell:suse_linux:gfs2-kmp-default, p-cpe:/a:novell:suse_linux:kernel-default, p-cpe:/a:novell:suse_linux:kernel-default-base, p-cpe:/a:novell:suse_linux:kernel-default-devel, p-cpe:/a:novell:suse_linux:kernel-default-extra, p-cpe:/a:novell:suse_linux:kernel-default-kgraft, p-cpe:/a:novell:suse_linux:kernel-default-kgraft-devel, p-cpe:/a:novell:suse_linux:kernel-default-man, p-cpe:/a:novell:suse_linux:kernel-devel, p-cpe:/a:novell:suse_linux:kernel-macros, p-cpe:/a:novell:suse_linux:kernel-obs-build, p-cpe:/a:novell:suse_linux:kernel-source, p-cpe:/a:novell:suse_linux:kernel-syms, p-cpe:/a:novell:suse_linux:kgraft-patch-4_12_14-122_98-default, p-cpe:/a:novell:suse_linux:ocfs2-kmp-default, cpe:/o:novell:suse_linux:12
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 11/19/2021
Vulnerability Publication Date: 7/6/2018
Reference Information
CVE: CVE-2018-13405, CVE-2021-3542, CVE-2021-3655, CVE-2021-3715, CVE-2021-3760, CVE-2021-33033, CVE-2021-34556, CVE-2021-35477, CVE-2021-37159, CVE-2021-41864, CVE-2021-42008, CVE-2021-42252, CVE-2021-42739
SuSE: SUSE-SU-2021:3748-1