SUSE SLES12 Security Update : kernel (SUSE-SU-2023:4033-1)

high Nessus Plugin ID 182893

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:4033-1 advisory.

- An issue was discovered in the Linux kernel before 5.8.6. drivers/media/cec/core/cec-api.c leaks one byte of kernel memory on specific hardware to unprivileged users, because of directly assigning log_addrs with a hole in the struct. (CVE-2020-36766)

- A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel's IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%. (CVE-2023-1206)

- A use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak. (CVE-2023-1859)

- A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure. (CVE-2023-39192)

- A flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. (CVE-2023-39193)

- A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure. (CVE-2023-39194)

- A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system. (CVE-2023-42754)

- A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation. The unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free. We recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c. (CVE-2023-4622)

- A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation. If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free. We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f. (CVE-2023-4623)

- A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue(). We recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8. (CVE-2023-4921)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1065729

https://bugzilla.suse.com/1109837

https://bugzilla.suse.com/1152446

https://bugzilla.suse.com/1154048

https://bugzilla.suse.com/1208995

https://bugzilla.suse.com/1210169

https://bugzilla.suse.com/1212703

https://bugzilla.suse.com/1213016

https://bugzilla.suse.com/1214157

https://bugzilla.suse.com/1214380

https://bugzilla.suse.com/1214386

https://bugzilla.suse.com/1214586

https://bugzilla.suse.com/1214940

https://bugzilla.suse.com/1214943

https://bugzilla.suse.com/1214945

https://bugzilla.suse.com/1214946

https://bugzilla.suse.com/1214948

https://bugzilla.suse.com/1214949

https://bugzilla.suse.com/1214950

https://bugzilla.suse.com/1214952

https://bugzilla.suse.com/1214953

https://bugzilla.suse.com/1214961

https://bugzilla.suse.com/1214962

https://bugzilla.suse.com/1214964

https://bugzilla.suse.com/1214965

https://bugzilla.suse.com/1214966

https://bugzilla.suse.com/1214967

https://bugzilla.suse.com/1215115

https://bugzilla.suse.com/1215117

https://bugzilla.suse.com/1215121

https://bugzilla.suse.com/1215122

https://bugzilla.suse.com/1215136

https://bugzilla.suse.com/1215149

https://bugzilla.suse.com/1215152

https://bugzilla.suse.com/1215162

https://bugzilla.suse.com/1215164

https://bugzilla.suse.com/1215165

https://bugzilla.suse.com/1215207

https://bugzilla.suse.com/1215221

https://bugzilla.suse.com/1215275

https://bugzilla.suse.com/1215299

https://bugzilla.suse.com/1215467

https://bugzilla.suse.com/1215607

https://bugzilla.suse.com/1215634

https://bugzilla.suse.com/1215858

https://bugzilla.suse.com/1215860

https://bugzilla.suse.com/1215861

https://bugzilla.suse.com/1215877

https://bugzilla.suse.com/1215897

https://bugzilla.suse.com/1215898

https://bugzilla.suse.com/1215954

http://www.nessus.org/u?20421b41

https://www.suse.com/security/cve/CVE-2020-36766

https://www.suse.com/security/cve/CVE-2023-1192

https://www.suse.com/security/cve/CVE-2023-1206

https://www.suse.com/security/cve/CVE-2023-1859

https://www.suse.com/security/cve/CVE-2023-39192

https://www.suse.com/security/cve/CVE-2023-39193

https://www.suse.com/security/cve/CVE-2023-39194

https://www.suse.com/security/cve/CVE-2023-42754

https://www.suse.com/security/cve/CVE-2023-4622

https://www.suse.com/security/cve/CVE-2023-4623

https://www.suse.com/security/cve/CVE-2023-4881

https://www.suse.com/security/cve/CVE-2023-4921

Plugin Details

Severity: High

ID: 182893

File Name: suse_SU-2023-4033-1.nasl

Version: 1.0

Type: local

Agent: unix

Published: 10/11/2023

Updated: 10/11/2023

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-4921

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:dlm-kmp-rt, p-cpe:/a:novell:suse_linux:kernel-rt-devel, p-cpe:/a:novell:suse_linux:kernel-source-rt, cpe:/o:novell:suse_linux:12, p-cpe:/a:novell:suse_linux:kernel-rt-base, p-cpe:/a:novell:suse_linux:gfs2-kmp-rt, p-cpe:/a:novell:suse_linux:kernel-syms-rt, p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt, p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel, p-cpe:/a:novell:suse_linux:kernel-rt_debug, p-cpe:/a:novell:suse_linux:kernel-rt, p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt, p-cpe:/a:novell:suse_linux:kernel-devel-rt

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/10/2023

Vulnerability Publication Date: 4/21/2023

Reference Information

CVE: CVE-2020-36766, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-42754, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921

SuSE: SUSE-SU-2023:4033-1