Detections
Analytics
SUSE SLES15 Security Update : kernel (SUSE-SU-2022:0197-1)
high Nessus Plugin ID 157144
Language:
Synopsis
The remote SUSE host is missing one or more security updates.Description
The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:0197-1 advisory.- A vulnerability was found in Linux kernel, where a use-after-frees in nouveau's postclose() handler could happen if removing device (that is not common to remove video card physically without power-off, but same happens if unbind the driver). (CVE-2020-27820)
- A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat. (CVE-2020-27825)
- Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as driver domains.
Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713 (CVE-2021-28711, CVE-2021-28712, CVE-2021-28713)
- Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default).
Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time.
(CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714) (CVE-2021-28714, CVE-2021-28715)
- Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow an authenticated user to potentially enable denial of service via local access. (CVE-2021-33098)
- A race condition was found in the Linux kernel's ebpf verifier between bpf_map_update_elem and bpf_map_freeze due to a missing lock in kernel/bpf/syscall.c. In this flaw, a local user with a special privilege (cap_sys_admin or cap_bpf) can modify the frozen mapped address space. This flaw affects kernel versions prior to 5.16 rc2. (CVE-2021-4001)
- A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)
- A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system.
This flaw affects Linux kernel versions prior to 5.16-rc4. (CVE-2021-4083)
- A memory leak vulnerability was found in the Linux kernel's eBPF for the Simulated networking device driver in the way user uses BPF for the device such that function nsim_map_alloc_elem being called. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4135)
- A vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of service (DOS) due to a deadlock problem. (CVE-2021-4149)
- An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system. (CVE-2021-4197)
- A use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. This flaw could allow a local attacker with user privileges to cause a data race problem while the device is getting removed, leading to a privilege escalation problem. (CVE-2021-4202)
- In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value. (CVE-2021-43975)
- In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).
(CVE-2021-43976)
- A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11.
This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object. (CVE-2021-44733)
- In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)
- In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small. (CVE-2021-45486)
- A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system. (CVE-2022-0185)
- A flaw was found in the sctp_make_strreset_req function in net/sctp/sm_make_chunk.c in the SCTP network protocol in the Linux kernel with a local user privilege access. In this flaw, an attempt to use more buffer than is allocated triggers a BUG_ON issue, leading to a denial of service (DOS). (CVE-2022-0322)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
https://bugzilla.suse.com/1071995
https://bugzilla.suse.com/1139944
https://bugzilla.suse.com/1151927
https://bugzilla.suse.com/1152489
https://bugzilla.suse.com/1153275
https://bugzilla.suse.com/1154353
https://bugzilla.suse.com/1154355
https://bugzilla.suse.com/1161907
https://bugzilla.suse.com/1164565
https://bugzilla.suse.com/1166780
https://bugzilla.suse.com/1169514
https://bugzilla.suse.com/1176242
https://bugzilla.suse.com/1176536
https://bugzilla.suse.com/1176544
https://bugzilla.suse.com/1176545
https://bugzilla.suse.com/1176546
https://bugzilla.suse.com/1176548
https://bugzilla.suse.com/1176558
https://bugzilla.suse.com/1176559
https://bugzilla.suse.com/1176940
https://bugzilla.suse.com/1176956
https://bugzilla.suse.com/1177440
https://bugzilla.suse.com/1178270
https://bugzilla.suse.com/1179211
https://bugzilla.suse.com/1179424
https://bugzilla.suse.com/1179426
https://bugzilla.suse.com/1179427
https://bugzilla.suse.com/1179599
https://bugzilla.suse.com/1179960
https://bugzilla.suse.com/1181148
https://bugzilla.suse.com/1181507
https://bugzilla.suse.com/1181710
https://bugzilla.suse.com/1183534
https://bugzilla.suse.com/1183540
https://bugzilla.suse.com/1183897
https://bugzilla.suse.com/1184209
https://bugzilla.suse.com/1185726
https://bugzilla.suse.com/1185902
https://bugzilla.suse.com/1187541
https://bugzilla.suse.com/1189126
https://bugzilla.suse.com/1189158
https://bugzilla.suse.com/1191271
https://bugzilla.suse.com/1191793
https://bugzilla.suse.com/1191876
https://bugzilla.suse.com/1192267
https://bugzilla.suse.com/1192507
https://bugzilla.suse.com/1192511
https://bugzilla.suse.com/1192569
https://bugzilla.suse.com/1192606
https://bugzilla.suse.com/1192845
https://bugzilla.suse.com/1192847
https://bugzilla.suse.com/1192877
https://bugzilla.suse.com/1192946
https://bugzilla.suse.com/1192969
https://bugzilla.suse.com/1192987
https://bugzilla.suse.com/1192990
https://bugzilla.suse.com/1192998
https://bugzilla.suse.com/1193002
https://bugzilla.suse.com/1193042
https://bugzilla.suse.com/1193169
https://bugzilla.suse.com/1193255
https://bugzilla.suse.com/1193306
https://bugzilla.suse.com/1193318
https://bugzilla.suse.com/1193349
https://bugzilla.suse.com/1193440
https://bugzilla.suse.com/1193442
https://bugzilla.suse.com/1193660
https://bugzilla.suse.com/1193669
https://bugzilla.suse.com/1193727
https://bugzilla.suse.com/1193767
https://bugzilla.suse.com/1193901
https://bugzilla.suse.com/1193927
https://bugzilla.suse.com/1194001
https://bugzilla.suse.com/1194087
https://bugzilla.suse.com/1194094
https://bugzilla.suse.com/1194302
https://bugzilla.suse.com/1194516
https://bugzilla.suse.com/1194517
https://bugzilla.suse.com/1194529
https://bugzilla.suse.com/1194888
https://bugzilla.suse.com/1194985
https://www.suse.com/security/cve/CVE-2020-27820
https://www.suse.com/security/cve/CVE-2020-27825
https://www.suse.com/security/cve/CVE-2021-28711
https://www.suse.com/security/cve/CVE-2021-28712
https://www.suse.com/security/cve/CVE-2021-28713
https://www.suse.com/security/cve/CVE-2021-28714
https://www.suse.com/security/cve/CVE-2021-28715
https://www.suse.com/security/cve/CVE-2021-33098
https://www.suse.com/security/cve/CVE-2021-4001
https://www.suse.com/security/cve/CVE-2021-4002
https://www.suse.com/security/cve/CVE-2021-4083
https://www.suse.com/security/cve/CVE-2021-4135
https://www.suse.com/security/cve/CVE-2021-4149
https://www.suse.com/security/cve/CVE-2021-4197
https://www.suse.com/security/cve/CVE-2021-4202
https://www.suse.com/security/cve/CVE-2021-43975
https://www.suse.com/security/cve/CVE-2021-43976
https://www.suse.com/security/cve/CVE-2021-44733
https://www.suse.com/security/cve/CVE-2021-45485
https://www.suse.com/security/cve/CVE-2021-45486
https://www.suse.com/security/cve/CVE-2022-0185
Plugin Details
Severity: High
ID: 157144
File Name: suse_SU-2022-0197-1.nasl
Version: 1.8
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 1/27/2022
Updated: 7/13/2023
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: High
Score: 7.4
CVSS v2
Risk Factor: High
Base Score: 7.2
Temporal Score: 6
Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2022-0185
CVSS v3
Risk Factor: High
Base Score: 8.4
Temporal Score: 7.8
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:suse_linux:cluster-md-kmp-default, p-cpe:/a:novell:suse_linux:kernel-default-livepatch-devel, p-cpe:/a:novell:suse_linux:kernel-syms, p-cpe:/a:novell:suse_linux:dlm-kmp-default, p-cpe:/a:novell:suse_linux:kernel-default-livepatch, p-cpe:/a:novell:suse_linux:reiserfs-kmp-default, p-cpe:/a:novell:suse_linux:ocfs2-kmp-default, p-cpe:/a:novell:suse_linux:kernel-source, p-cpe:/a:novell:suse_linux:kernel-preempt-devel, p-cpe:/a:novell:suse_linux:kernel-macros, p-cpe:/a:novell:suse_linux:kernel-default-base, p-cpe:/a:novell:suse_linux:kernel-default, p-cpe:/a:novell:suse_linux:kernel-default-devel, p-cpe:/a:novell:suse_linux:kernel-preempt, p-cpe:/a:novell:suse_linux:kernel-devel, p-cpe:/a:novell:suse_linux:kernel-obs-build, p-cpe:/a:novell:suse_linux:gfs2-kmp-default, p-cpe:/a:novell:suse_linux:kernel-livepatch-5_3_18-24_99-default, cpe:/o:novell:suse_linux:15
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 1/26/2022
Vulnerability Publication Date: 12/11/2020
Exploitable With
Core Impact
Reference Information
CVE: CVE-2020-27820, CVE-2020-27825, CVE-2021-28711, CVE-2021-28712, CVE-2021-28713, CVE-2021-28714, CVE-2021-28715, CVE-2021-33098, CVE-2021-4001, CVE-2021-4002, CVE-2021-4083, CVE-2021-4135, CVE-2021-4149, CVE-2021-4197, CVE-2021-4202, CVE-2021-43975, CVE-2021-43976, CVE-2021-44733, CVE-2021-45485, CVE-2021-45486, CVE-2022-0185, CVE-2022-0322
SuSE: SUSE-SU-2022:0197-1