SUSE SLES15 Security Update : kernel (SUSE-SU-2022:3809-1)

high Nessus Plugin ID 166751

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3809-1 advisory.

- The einj_error_inject function in drivers/acpi/apei/einj.c in the Linux kernel allows local users to simulate hardware errors and consequently cause a denial of service by leveraging failure to disable APEI error injection through EINJ when securelevel is set. (CVE-2016-3695)

- Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid object as a listener after being released. Fixed in Ubuntu Linux kernel 5.4.0-51.56, 5.3.0-68.63, 4.15.0-121.123, 4.4.0-193.224, 3.13.0.182.191 and 3.2.0-149.196.
(CVE-2020-16119)

- A vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl() printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had been freed by gprinter_free(). (CVE-2020-27784)

- A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them. (CVE-2021-4155)

- A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information. (CVE-2021-4203)

- Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel (CVE-2022-20368)

- In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
A-223375145References: Upstream kernel (CVE-2022-20369)

- Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5 (CVE-2022-2503)

- kernel: nf_tables cross-table potential use-after-free may lead to local privilege escalation (CVE-2022-2586)

- kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation (CVE-2022-2588)

- Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)

- An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured. (CVE-2022-2663)

- An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data. (CVE-2022-2905)

- A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after- free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)

- A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)

- A flaw was found in the Linux kernel. A denial of service flaw may occur if there is a consecutive request of the NVME_IOCTL_RESET and the NVME_IOCTL_SUBSYS_RESET through the device file of the driver, resulting in a PCIe link disconnect. (CVE-2022-3169)

- The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used. This occurs because of use of Algorithm 4 (Double-Hash Port Selection Algorithm) of RFC 6056.
(CVE-2022-32296)

- A flaw use after free in the Linux kernel video4linux driver was found in the way user triggers em28xx_usb_probe() for the Empia 28xx based TV cards. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-3239)

- A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition (CVE-2022-3303)

- An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)

- An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)

- An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain. (CVE-2022-39190)

- drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.
(CVE-2022-40768)

- In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release. (CVE-2022-41218)

- mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is not held during a PUD move. (CVE-2022-41222)

- An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c. (CVE-2022-41674)

- drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling ioctl, aka a race condition between mgslpc_ioctl and mgslpc_detach. (CVE-2022-41848)

- drivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a race condition and resultant use- after-free if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufx_ops_open and ufx_usb_disconnect. (CVE-2022-41849)

- A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code. (CVE-2022-42719)

- Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after- free conditions to potentially execute code. (CVE-2022-42720)

- A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code. (CVE-2022-42721)

- In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers able to inject WLAN frames into the mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon protection of P2P devices. (CVE-2022-42722)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1023051

https://bugzilla.suse.com/1065729

https://bugzilla.suse.com/1152489

https://bugzilla.suse.com/1156395

https://bugzilla.suse.com/1177471

https://bugzilla.suse.com/1179722

https://bugzilla.suse.com/1179723

https://bugzilla.suse.com/1181862

https://bugzilla.suse.com/1185032

https://bugzilla.suse.com/1191662

https://bugzilla.suse.com/1191667

https://bugzilla.suse.com/1191881

https://bugzilla.suse.com/1192594

https://bugzilla.suse.com/1194023

https://bugzilla.suse.com/1194272

https://bugzilla.suse.com/1194535

https://bugzilla.suse.com/1196444

https://bugzilla.suse.com/1197158

https://bugzilla.suse.com/1197659

https://bugzilla.suse.com/1197755

https://bugzilla.suse.com/1197756

https://bugzilla.suse.com/1197757

https://bugzilla.suse.com/1197760

https://bugzilla.suse.com/1197763

https://bugzilla.suse.com/1197920

https://bugzilla.suse.com/1198971

https://bugzilla.suse.com/1199291

https://bugzilla.suse.com/1200288

https://bugzilla.suse.com/1200313

https://bugzilla.suse.com/1200431

https://bugzilla.suse.com/1200622

https://bugzilla.suse.com/1200845

https://bugzilla.suse.com/1200868

https://bugzilla.suse.com/1200869

https://bugzilla.suse.com/1200870

https://bugzilla.suse.com/1200871

https://bugzilla.suse.com/1200872

https://bugzilla.suse.com/1200873

https://bugzilla.suse.com/1201019

https://bugzilla.suse.com/1201309

https://bugzilla.suse.com/1201310

https://bugzilla.suse.com/1201420

https://bugzilla.suse.com/1201489

https://bugzilla.suse.com/1201610

https://bugzilla.suse.com/1201705

https://bugzilla.suse.com/1201726

https://bugzilla.suse.com/1201865

https://bugzilla.suse.com/1201948

https://bugzilla.suse.com/1201990

https://bugzilla.suse.com/1202095

https://bugzilla.suse.com/1203552

https://bugzilla.suse.com/1202096

https://bugzilla.suse.com/1202097

https://bugzilla.suse.com/1202341

https://bugzilla.suse.com/1202346

https://bugzilla.suse.com/1202347

https://bugzilla.suse.com/1202385

https://bugzilla.suse.com/1202393

https://bugzilla.suse.com/1202396

https://bugzilla.suse.com/1202447

https://bugzilla.suse.com/1202577

https://bugzilla.suse.com/1202636

https://bugzilla.suse.com/1202638

https://bugzilla.suse.com/1202672

https://bugzilla.suse.com/1202677

https://bugzilla.suse.com/1202701

https://bugzilla.suse.com/1202708

https://bugzilla.suse.com/1202709

https://bugzilla.suse.com/1202710

https://bugzilla.suse.com/1202711

https://bugzilla.suse.com/1202712

https://bugzilla.suse.com/1202713

https://bugzilla.suse.com/1202714

https://bugzilla.suse.com/1202715

https://bugzilla.suse.com/1202716

https://bugzilla.suse.com/1202717

https://bugzilla.suse.com/1202718

https://bugzilla.suse.com/1202720

https://bugzilla.suse.com/1202722

https://bugzilla.suse.com/1202745

https://bugzilla.suse.com/1202756

https://bugzilla.suse.com/1202810

https://bugzilla.suse.com/1202811

https://bugzilla.suse.com/1202860

https://bugzilla.suse.com/1202895

https://bugzilla.suse.com/1202898

https://bugzilla.suse.com/1202960

https://bugzilla.suse.com/1202984

https://bugzilla.suse.com/1203063

https://bugzilla.suse.com/1203098

https://bugzilla.suse.com/1203107

https://bugzilla.suse.com/1203117

https://bugzilla.suse.com/1203622

https://bugzilla.suse.com/1203737

https://bugzilla.suse.com/1203769

https://bugzilla.suse.com/1203770

https://bugzilla.suse.com/1203802

https://bugzilla.suse.com/1203906

https://bugzilla.suse.com/1203909

https://bugzilla.suse.com/1203935

https://bugzilla.suse.com/1203939

https://bugzilla.suse.com/1203987

https://bugzilla.suse.com/1203992

https://bugzilla.suse.com/1204051

https://bugzilla.suse.com/1204059

https://bugzilla.suse.com/1204060

https://bugzilla.suse.com/1204125

https://www.suse.com/security/cve/CVE-2016-3695

https://www.suse.com/security/cve/CVE-2020-16119

https://www.suse.com/security/cve/CVE-2020-27784

https://www.suse.com/security/cve/CVE-2021-4155

https://www.suse.com/security/cve/CVE-2021-4203

https://www.suse.com/security/cve/CVE-2022-20368

https://www.suse.com/security/cve/CVE-2022-20369

https://www.suse.com/security/cve/CVE-2022-2503

https://www.suse.com/security/cve/CVE-2022-2586

https://www.suse.com/security/cve/CVE-2022-2588

https://www.suse.com/security/cve/CVE-2022-26373

https://www.suse.com/security/cve/CVE-2022-2663

https://www.suse.com/security/cve/CVE-2022-2905

https://www.suse.com/security/cve/CVE-2022-2977

https://www.suse.com/security/cve/CVE-2022-3028

https://www.suse.com/security/cve/CVE-2022-3169

https://www.suse.com/security/cve/CVE-2022-32296

https://www.suse.com/security/cve/CVE-2022-3239

https://www.suse.com/security/cve/CVE-2022-3303

https://www.suse.com/security/cve/CVE-2022-36879

https://www.suse.com/security/cve/CVE-2022-39188

https://www.suse.com/security/cve/CVE-2022-39190

https://www.suse.com/security/cve/CVE-2022-40768

https://www.suse.com/security/cve/CVE-2022-41218

https://www.suse.com/security/cve/CVE-2022-41222

https://www.suse.com/security/cve/CVE-2022-41674

https://www.suse.com/security/cve/CVE-2022-41848

https://www.suse.com/security/cve/CVE-2022-41849

https://www.suse.com/security/cve/CVE-2022-42719

https://www.suse.com/security/cve/CVE-2022-42720

https://www.suse.com/security/cve/CVE-2022-42721

https://www.suse.com/security/cve/CVE-2022-42722

http://www.nessus.org/u?e7698ef9

https://bugzilla.suse.com/1203135

https://bugzilla.suse.com/1203136

https://bugzilla.suse.com/1203137

https://bugzilla.suse.com/1203159

https://bugzilla.suse.com/1203290

https://bugzilla.suse.com/1203389

https://bugzilla.suse.com/1203410

https://bugzilla.suse.com/1203424

https://bugzilla.suse.com/1203514

Plugin Details

Severity: High

ID: 166751

File Name: suse_SU-2022-3809-1.nasl

Version: 1.6

Type: local

Agent: unix

Published: 11/1/2022

Updated: 7/13/2023

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.5

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:P

CVSS Score Source: CVE-2021-4203

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.4

Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2022-42719

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:kernel-devel-rt, p-cpe:/a:novell:suse_linux:kernel-rt, p-cpe:/a:novell:suse_linux:kernel-rt-devel, p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel, p-cpe:/a:novell:suse_linux:kernel-source-rt, p-cpe:/a:novell:suse_linux:kernel-syms-rt, p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt, p-cpe:/a:novell:suse_linux:dlm-kmp-rt, p-cpe:/a:novell:suse_linux:gfs2-kmp-rt

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/31/2022

Vulnerability Publication Date: 12/29/2017

Exploitable With

Core Impact

Reference Information

CVE: CVE-2016-3695, CVE-2020-16119, CVE-2020-27784, CVE-2021-4155, CVE-2021-4203, CVE-2022-20368, CVE-2022-20369, CVE-2022-2503, CVE-2022-2586, CVE-2022-2588, CVE-2022-26373, CVE-2022-2663, CVE-2022-2905, CVE-2022-2977, CVE-2022-3028, CVE-2022-3169, CVE-2022-32296, CVE-2022-3239, CVE-2022-3303, CVE-2022-36879, CVE-2022-39188, CVE-2022-39190, CVE-2022-40768, CVE-2022-41218, CVE-2022-41222, CVE-2022-41674, CVE-2022-41848, CVE-2022-41849, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722

SuSE: SUSE-SU-2022:3809-1