SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2023:3302-1)

high Nessus Plugin ID 179825

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3302-1 advisory.

- Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2022-40982)

- Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the access_ok check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 (CVE-2023-0459)

- A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.
We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)

- A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled?address, potentially leading to information disclosure. (CVE-2023-20569)

- An issue in Zen 2 CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. (CVE-2023-20593)

- In multiple functions of io_uring.c, there is a possible kernel memory corruption due to improper locking.
This could lead to local escalation of privilege in the kernel with System execution privileges needed.
User interaction is not needed for exploitation. (CVE-2023-21400)

- A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol.
This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system. (CVE-2023-2156)

- A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux.
ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service. (CVE-2023-2166)

- A vulnerability was found due to missing lock for IOPOLL flaw in io_cqring_event_overflow() in io_uring.c in Linux Kernel. This flaw allows a local attacker with user privilege to trigger a Denial of Service threat. (CVE-2023-2430)

- A use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem. (CVE-2023-2985)

- A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation. The out-of-bounds write is caused by missing skb->cb initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled. We recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e. (CVE-2023-3090)

- An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur. (CVE-2023-31083)

- A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation.c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag(). (CVE-2023-3111)

- ** REJECT ** Duplicate of CVE-2023-3390. (CVE-2023-3117)

- Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace (CVE-2023-31248)

- A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.
(CVE-2023-3212)

- An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information. (CVE-2023-3268)

- A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation. Racing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer. We recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and 0e388fce7aec40992eadee654193cad345d62663 for 5.15 stable). (CVE-2023-3389)

- A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97. (CVE-2023-3390)

- Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace (CVE-2023-35001)

- A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This flaw allows an attacker with local user access to cause a system crash or leak internal kernel information. (CVE-2023-3567)

- A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
(CVE-2023-3609)

- An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out- of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)

- A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
(CVE-2023-3776)

- An out-of-bounds memory access flaw was found in the Linux kernel's TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2023-3812)

- An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/fbcon.c in the Linux kernel before 6.2.12. Because an assignment occurs only for the first vc, the fbcon_registered_fb and fbcon_display arrays can be desynchronized in fbcon_mode_deleted (the con2fb_map points at the old fb_info).
(CVE-2023-38409)

- A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel.
This flaw allows a local user with special privileges to impact a kernel information leak issue.
(CVE-2023-3863)

- A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system. (CVE-2023-4004)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1150305

https://bugzilla.suse.com/1187829

https://bugzilla.suse.com/1193629

https://bugzilla.suse.com/1194869

https://bugzilla.suse.com/1206418

https://bugzilla.suse.com/1207129

https://bugzilla.suse.com/1207894

https://bugzilla.suse.com/1207948

https://bugzilla.suse.com/1208788

https://bugzilla.suse.com/1210335

https://bugzilla.suse.com/1210565

https://bugzilla.suse.com/1210584

https://bugzilla.suse.com/1210627

https://bugzilla.suse.com/1210780

https://bugzilla.suse.com/1210825

https://bugzilla.suse.com/1210853

https://bugzilla.suse.com/1211014

https://bugzilla.suse.com/1211131

https://bugzilla.suse.com/1211243

https://bugzilla.suse.com/1211738

https://bugzilla.suse.com/1211811

https://bugzilla.suse.com/1211867

https://bugzilla.suse.com/1212051

https://bugzilla.suse.com/1212256

https://bugzilla.suse.com/1212265

https://bugzilla.suse.com/1212301

https://bugzilla.suse.com/1212445

https://bugzilla.suse.com/1212456

https://bugzilla.suse.com/1212502

https://bugzilla.suse.com/1212525

https://bugzilla.suse.com/1212603

https://bugzilla.suse.com/1212604

https://bugzilla.suse.com/1212685

https://bugzilla.suse.com/1212766

https://bugzilla.suse.com/1212835

https://bugzilla.suse.com/1212838

https://bugzilla.suse.com/1212842

https://bugzilla.suse.com/1212846

https://bugzilla.suse.com/1212848

https://bugzilla.suse.com/1212861

https://bugzilla.suse.com/1212869

https://bugzilla.suse.com/1212892

https://bugzilla.suse.com/1212901

https://bugzilla.suse.com/1212905

https://bugzilla.suse.com/1212961

https://bugzilla.suse.com/1213010

https://bugzilla.suse.com/1213011

https://bugzilla.suse.com/1213012

https://bugzilla.suse.com/1213013

https://bugzilla.suse.com/1213014

https://bugzilla.suse.com/1213015

https://bugzilla.suse.com/1213016

https://bugzilla.suse.com/1213017

https://bugzilla.suse.com/1213018

https://bugzilla.suse.com/1213019

https://bugzilla.suse.com/1213020

https://bugzilla.suse.com/1213021

https://bugzilla.suse.com/1213024

https://bugzilla.suse.com/1213025

https://bugzilla.suse.com/1213032

https://bugzilla.suse.com/1213034

https://bugzilla.suse.com/1213035

https://bugzilla.suse.com/1213036

https://bugzilla.suse.com/1213037

https://bugzilla.suse.com/1213038

https://bugzilla.suse.com/1213039

https://bugzilla.suse.com/1213040

https://bugzilla.suse.com/1213041

https://bugzilla.suse.com/1213059

https://bugzilla.suse.com/1213061

https://bugzilla.suse.com/1213087

https://bugzilla.suse.com/1213088

https://bugzilla.suse.com/1213089

https://bugzilla.suse.com/1213090

https://bugzilla.suse.com/1213092

https://bugzilla.suse.com/1213093

https://bugzilla.suse.com/1213094

https://bugzilla.suse.com/1213095

https://bugzilla.suse.com/1213096

https://bugzilla.suse.com/1213098

https://bugzilla.suse.com/1213099

https://bugzilla.suse.com/1213100

https://bugzilla.suse.com/1213102

https://bugzilla.suse.com/1213103

https://bugzilla.suse.com/1213104

https://bugzilla.suse.com/1213105

https://bugzilla.suse.com/1213106

https://bugzilla.suse.com/1213107

https://bugzilla.suse.com/1213108

https://bugzilla.suse.com/1213109

https://bugzilla.suse.com/1213110

https://bugzilla.suse.com/1213111

https://bugzilla.suse.com/1213112

https://bugzilla.suse.com/1213113

https://bugzilla.suse.com/1213114

https://bugzilla.suse.com/1213116

https://bugzilla.suse.com/1213134

https://bugzilla.suse.com/1213167

https://bugzilla.suse.com/1213205

https://bugzilla.suse.com/1213206

https://bugzilla.suse.com/1213226

https://bugzilla.suse.com/1213233

https://bugzilla.suse.com/1213245

https://bugzilla.suse.com/1213247

https://bugzilla.suse.com/1213252

https://bugzilla.suse.com/1213258

https://bugzilla.suse.com/1213259

https://bugzilla.suse.com/1213263

https://bugzilla.suse.com/1213264

https://bugzilla.suse.com/1213272

https://bugzilla.suse.com/1213286

https://bugzilla.suse.com/1213287

https://bugzilla.suse.com/1213304

https://bugzilla.suse.com/1213417

https://bugzilla.suse.com/1213493

https://bugzilla.suse.com/1213523

https://bugzilla.suse.com/1213524

https://bugzilla.suse.com/1213533

https://bugzilla.suse.com/1213543

https://bugzilla.suse.com/1213578

https://bugzilla.suse.com/1213585

https://bugzilla.suse.com/1213586

https://bugzilla.suse.com/1213588

https://bugzilla.suse.com/1213601

https://bugzilla.suse.com/1213620

https://bugzilla.suse.com/1213632

https://bugzilla.suse.com/1213653

https://bugzilla.suse.com/1213705

https://bugzilla.suse.com/1213713

https://bugzilla.suse.com/1213715

https://bugzilla.suse.com/1213747

https://bugzilla.suse.com/1213756

https://bugzilla.suse.com/1213759

https://bugzilla.suse.com/1213777

https://bugzilla.suse.com/1213810

https://bugzilla.suse.com/1213812

https://bugzilla.suse.com/1213856

https://bugzilla.suse.com/1213857

https://bugzilla.suse.com/1213863

https://bugzilla.suse.com/1213867

https://bugzilla.suse.com/1213870

https://bugzilla.suse.com/1213871

https://bugzilla.suse.com/1213872

https://lists.suse.com/pipermail/sle-updates/2023-August/030995.html

https://www.suse.com/security/cve/CVE-2022-40982

https://www.suse.com/security/cve/CVE-2023-0459

https://www.suse.com/security/cve/CVE-2023-1829

https://www.suse.com/security/cve/CVE-2023-20569

https://www.suse.com/security/cve/CVE-2023-20593

https://www.suse.com/security/cve/CVE-2023-21400

https://www.suse.com/security/cve/CVE-2023-2156

https://www.suse.com/security/cve/CVE-2023-2166

https://www.suse.com/security/cve/CVE-2023-2430

https://www.suse.com/security/cve/CVE-2023-2985

https://www.suse.com/security/cve/CVE-2023-3090

https://www.suse.com/security/cve/CVE-2023-31083

https://www.suse.com/security/cve/CVE-2023-3111

https://www.suse.com/security/cve/CVE-2023-3117

https://www.suse.com/security/cve/CVE-2023-31248

https://www.suse.com/security/cve/CVE-2023-3212

https://www.suse.com/security/cve/CVE-2023-3268

https://www.suse.com/security/cve/CVE-2023-3389

https://www.suse.com/security/cve/CVE-2023-3390

https://www.suse.com/security/cve/CVE-2023-35001

https://www.suse.com/security/cve/CVE-2023-3567

https://www.suse.com/security/cve/CVE-2023-3609

https://www.suse.com/security/cve/CVE-2023-3611

https://www.suse.com/security/cve/CVE-2023-3776

https://www.suse.com/security/cve/CVE-2023-3812

https://www.suse.com/security/cve/CVE-2023-38409

https://www.suse.com/security/cve/CVE-2023-3863

https://www.suse.com/security/cve/CVE-2023-4004

Plugin Details

Severity: High

ID: 179825

File Name: suse_SU-2023-3302-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 8/15/2023

Updated: 8/22/2023

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2023-20569

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2023-4004

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:kernel-livepatch-5_14_21-150500_13_11-rt, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/14/2023

Vulnerability Publication Date: 12/1/2022

Reference Information

CVE: CVE-2022-40982, CVE-2023-0459, CVE-2023-1829, CVE-2023-20569, CVE-2023-20593, CVE-2023-21400, CVE-2023-2156, CVE-2023-2166, CVE-2023-2430, CVE-2023-2985, CVE-2023-3090, CVE-2023-31083, CVE-2023-3111, CVE-2023-3117, CVE-2023-31248, CVE-2023-3212, CVE-2023-3268, CVE-2023-3389, CVE-2023-3390, CVE-2023-35001, CVE-2023-3567, CVE-2023-3609, CVE-2023-3611, CVE-2023-3776, CVE-2023-3812, CVE-2023-38409, CVE-2023-3863, CVE-2023-4004

SuSE: SUSE-SU-2023:3302-1