The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2231-1 advisory.

  - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.
    L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after     running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can     execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past     commit 2e7eab81425a (CVE-2022-2196)

  - A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with     capabilities was found in the Linux kernel's OverlayFS subsystem in how a user copies a capable file from     a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges     on the system. (CVE-2023-0386)

  - A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local     user could use this flaw to crash the system or potentially escalate their privileges on the system.
    (CVE-2023-1670)

  - A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware     Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system     due to a race problem. This vulnerability could even lead to a kernel information leak problem.
    (CVE-2023-1855)

  - A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In     this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on     hdev devices. (CVE-2023-1989)

  - A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw     could allow an attacker to crash the system due to a race problem. (CVE-2023-1990)

  - The Linux kernel allows userspace processes to enable mitigations by calling prctl with     PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed     that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to     attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be     observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line. This happened     because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that     STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection.
    However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons,     which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target     injection against which STIBP protects. (CVE-2023-1998)

  - A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault     handler. The issue results from the lack of proper validation of user-supplied data, which can result in a     memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges     and execute arbitrary code in the context of the kernel. (CVE-2023-2008)

  - A flaw was found in the Linux kernel's netdevsim device driver, within the scheduling of events. This     issue results from the improper management of a reference count. This may allow an attacker to create a     denial of service condition on the system. (CVE-2023-2019)

  - A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux     Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem     to crash the system or escalation of privilege. (CVE-2023-2176)

  - A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve     local privilege escalation. The perf_group_detach function did not check the event's siblings'     attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call     list_del_event() on before detaching from their group, making it possible to use a dangling pointer     causing a use-after-free vulnerability. We recommend upgrading past commit     fd0815f632c24878e325821943edccc7fde947a2. (CVE-2023-2235)

  - In the Linux kernel before 5.15.13, drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c     misinterprets the mlx5_get_uars_page return value (expects it to be NULL in the error case, whereas it is     actually an error pointer). (CVE-2023-23006)

  - The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in     drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device.
    (CVE-2023-30772)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2023:2231-1)

high Nessus Plugin ID 176059

Version 1.3

Version 1.2

Version 1.0

Version 1.3 Oct 4, 2023, 4:16 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:H/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:H/RL:O/RC:C") Exploit attributes ("Exploited by malware" set to "True") Plugin Feed: 202310041616
Version 1.2 Aug 23, 2023, 4:09 PM Exploit attributes ("Exploit framework core" set to "True") CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") Plugin Feed: 202308231609
Version 1.0 May 18, 2023, 1:02 PM New Plugin Feed: 202305181302