SUSE SLED15 / SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2023:3971-1)

high Nessus Plugin ID 182572

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3971-1 advisory.

- A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). (CVE-2022-38457)

- A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). (CVE-2022-40133)

- The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.
(CVE-2023-2007)

- A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality. (CVE-2023-20588)

- The fix for XSA-423 added logic to Linux'es netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didn't account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area that's specially dealt with to keep all (possible) headers together. Such an unusual packet would therefore trigger a buffer overrun in the driver.
(CVE-2023-34319)

- A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. (CVE-2023-3610)

- An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds and crash in read_descriptors in drivers/usb/core/sysfs.c. (CVE-2023-37453)

- A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)

- A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel.
This flaw allows a local user with special privileges to impact a kernel information leak issue.
(CVE-2023-3863)

- An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled. (CVE-2023-40283)

- A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue. (CVE-2023-4128)

- A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition. (CVE-2023-4133)

- A use-after-free flaw was found in the Linux kernel's Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.
(CVE-2023-4147)

- A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 (tun: tun_chr_open(): correctly initialize socket uid), - 66b2c338adce (tap: tap_open():
correctly initialize socket uid), pass inode->i_uid to sock_init_data_uid() as the last parameter and that turns out to not be accurate. (CVE-2023-4194)

- A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack. (CVE-2023-4273)

- A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem. (CVE-2023-4387)

- A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup.
(CVE-2023-4459)

- A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause a double-deactivations of catchall elements, which results in a memory leak. (CVE-2023-4569)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1023051

https://bugzilla.suse.com/1120059

https://bugzilla.suse.com/1177719

https://bugzilla.suse.com/1188885

https://bugzilla.suse.com/1193629

https://bugzilla.suse.com/1194869

https://bugzilla.suse.com/1203329

https://bugzilla.suse.com/1203330

https://bugzilla.suse.com/1205462

https://bugzilla.suse.com/1206453

https://bugzilla.suse.com/1208902

https://bugzilla.suse.com/1208949

https://bugzilla.suse.com/1209284

https://bugzilla.suse.com/1209799

https://bugzilla.suse.com/1210048

https://bugzilla.suse.com/1210448

https://bugzilla.suse.com/1211220

https://bugzilla.suse.com/1212091

https://bugzilla.suse.com/1212142

https://bugzilla.suse.com/1212423

https://bugzilla.suse.com/1212526

https://bugzilla.suse.com/1212857

https://bugzilla.suse.com/1212873

https://bugzilla.suse.com/1213026

https://bugzilla.suse.com/1213123

https://bugzilla.suse.com/1213546

https://bugzilla.suse.com/1213580

https://bugzilla.suse.com/1213601

https://bugzilla.suse.com/1213666

https://bugzilla.suse.com/1213733

https://bugzilla.suse.com/1213757

https://bugzilla.suse.com/1213759

https://bugzilla.suse.com/1213916

https://bugzilla.suse.com/1213921

https://bugzilla.suse.com/1213927

https://bugzilla.suse.com/1213946

https://bugzilla.suse.com/1213949

https://bugzilla.suse.com/1213968

https://bugzilla.suse.com/1213970

https://bugzilla.suse.com/1213971

https://bugzilla.suse.com/1214000

https://bugzilla.suse.com/1214019

https://bugzilla.suse.com/1214073

https://bugzilla.suse.com/1214120

https://bugzilla.suse.com/1214149

https://bugzilla.suse.com/1214180

https://bugzilla.suse.com/1214233

https://bugzilla.suse.com/1214238

https://bugzilla.suse.com/1214285

https://bugzilla.suse.com/1214297

https://bugzilla.suse.com/1214299

https://bugzilla.suse.com/1214305

https://bugzilla.suse.com/1214350

https://bugzilla.suse.com/1214368

https://bugzilla.suse.com/1214370

https://bugzilla.suse.com/1214371

https://bugzilla.suse.com/1214372

https://bugzilla.suse.com/1214380

https://bugzilla.suse.com/1214386

https://bugzilla.suse.com/1214392

https://bugzilla.suse.com/1214393

https://bugzilla.suse.com/1214397

https://bugzilla.suse.com/1214404

https://bugzilla.suse.com/1214428

https://bugzilla.suse.com/1214451

https://bugzilla.suse.com/1214635

https://bugzilla.suse.com/1214659

https://bugzilla.suse.com/1214661

https://bugzilla.suse.com/1214727

https://bugzilla.suse.com/1214729

https://bugzilla.suse.com/1214742

https://bugzilla.suse.com/1214743

https://bugzilla.suse.com/1214756

https://bugzilla.suse.com/1214976

https://bugzilla.suse.com/1215522

https://bugzilla.suse.com/1215523

https://bugzilla.suse.com/1215552

https://bugzilla.suse.com/1215553

http://www.nessus.org/u?8fa41c0d

https://www.suse.com/security/cve/CVE-2022-38457

https://www.suse.com/security/cve/CVE-2022-40133

https://www.suse.com/security/cve/CVE-2023-2007

https://www.suse.com/security/cve/CVE-2023-20588

https://www.suse.com/security/cve/CVE-2023-34319

https://www.suse.com/security/cve/CVE-2023-3610

https://www.suse.com/security/cve/CVE-2023-37453

https://www.suse.com/security/cve/CVE-2023-3772

https://www.suse.com/security/cve/CVE-2023-3863

https://www.suse.com/security/cve/CVE-2023-40283

https://www.suse.com/security/cve/CVE-2023-4128

https://www.suse.com/security/cve/CVE-2023-4133

https://www.suse.com/security/cve/CVE-2023-4134

https://www.suse.com/security/cve/CVE-2023-4147

https://www.suse.com/security/cve/CVE-2023-4194

https://www.suse.com/security/cve/CVE-2023-4273

https://www.suse.com/security/cve/CVE-2023-4387

https://www.suse.com/security/cve/CVE-2023-4459

https://www.suse.com/security/cve/CVE-2023-4563

https://www.suse.com/security/cve/CVE-2023-4569

Plugin Details

Severity: High

ID: 182572

File Name: suse_SU-2023-3971-1.nasl

Version: 1.0

Type: local

Agent: unix

Published: 10/5/2023

Updated: 10/5/2023

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-4147

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:kernel-livepatch-5_14_21-150500_55_28-default, p-cpe:/a:novell:suse_linux:kernel-macros, p-cpe:/a:novell:suse_linux:kernel-zfcpdump, p-cpe:/a:novell:suse_linux:kernel-64kb-devel, p-cpe:/a:novell:suse_linux:ocfs2-kmp-default, p-cpe:/a:novell:suse_linux:dlm-kmp-default, p-cpe:/a:novell:suse_linux:kernel-default-base, p-cpe:/a:novell:suse_linux:kernel-default-livepatch, p-cpe:/a:novell:suse_linux:kernel-default-devel, p-cpe:/a:novell:suse_linux:kernel-devel, p-cpe:/a:novell:suse_linux:gfs2-kmp-default, p-cpe:/a:novell:suse_linux:kernel-syms, p-cpe:/a:novell:suse_linux:kernel-default-extra, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:reiserfs-kmp-default, p-cpe:/a:novell:suse_linux:kernel-default-livepatch-devel, p-cpe:/a:novell:suse_linux:cluster-md-kmp-default, p-cpe:/a:novell:suse_linux:kernel-obs-build, p-cpe:/a:novell:suse_linux:kernel-default, p-cpe:/a:novell:suse_linux:kernel-source, p-cpe:/a:novell:suse_linux:kernel-64kb

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/4/2023

Vulnerability Publication Date: 9/9/2022

Reference Information

CVE: CVE-2022-38457, CVE-2022-40133, CVE-2023-2007, CVE-2023-20588, CVE-2023-34319, CVE-2023-3610, CVE-2023-37453, CVE-2023-3772, CVE-2023-3863, CVE-2023-40283, CVE-2023-4128, CVE-2023-4133, CVE-2023-4134, CVE-2023-4147, CVE-2023-4194, CVE-2023-4273, CVE-2023-4387, CVE-2023-4459, CVE-2023-4563, CVE-2023-4569

SuSE: SUSE-SU-2023:3971-1