CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
58.9%
The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3584-1 advisory.
In mmc_blk_read_single of block.c, there is a possible way to read kernel heap memory due to uninitialized data. This could lead to local information disclosure if reading from an SD card that triggers errors, with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
AndroidVersions: Android kernelAndroid ID: A-216481035References: Upstream kernel (CVE-2022-20008)
Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5 (CVE-2022-2503)
An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured. (CVE-2022-2663)
A flaw use after free in the Linux kernel video4linux driver was found in the way user triggers em28xx_usb_probe() for the Empia 28xx based TV cards. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-3239)
A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition (CVE-2022-3303)
An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)
In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release. (CVE-2022-41218)
drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling ioctl, aka a race condition between mgslpc_ioctl and mgslpc_detach. (CVE-2022-41848)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# SUSE update advisory SUSE-SU-2022:3584-1. The text itself
# is copyright (C) SUSE.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(166188);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/13");
script_cve_id(
"CVE-2022-2503",
"CVE-2022-2663",
"CVE-2022-3239",
"CVE-2022-3303",
"CVE-2022-20008",
"CVE-2022-39188",
"CVE-2022-41218",
"CVE-2022-41848"
);
script_xref(name:"SuSE", value:"SUSE-SU-2022:3584-1");
script_name(english:"SUSE SLES12 Security Update : kernel (SUSE-SU-2022:3584-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as
referenced in the SUSE-SU-2022:3584-1 advisory.
- In mmc_blk_read_single of block.c, there is a possible way to read kernel heap memory due to uninitialized
data. This could lead to local information disclosure if reading from an SD card that triggers errors,
with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
AndroidVersions: Android kernelAndroid ID: A-216481035References: Upstream kernel (CVE-2022-20008)
- Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to
restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently
allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass
verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and
unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for
peripherals that do not verify firmware updates. We recommend upgrading past commit
4caae58406f8ceb741603eee460d79bacca9b1b5 (CVE-2022-2503)
- An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and
incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted
IRC with nf_conntrack_irc configured. (CVE-2022-2663)
- A flaw use after free in the Linux kernel video4linux driver was found in the way user triggers
em28xx_usb_probe() for the Empia 28xx based TV cards. A local user could use this flaw to crash the system
or potentially escalate their privileges on the system. (CVE-2022-3239)
- A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead
to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or
member of the audio group) could use this flaw to crash the system, resulting in a denial of service
condition (CVE-2022-3303)
- An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race
condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale
TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)
- In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused
by refcount races, affecting dvb_demux_open and dvb_dmxdev_release. (CVE-2022-41218)
- drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 has a race condition and resultant
use-after-free if a physically proximate attacker removes a PCMCIA device while calling ioctl, aka a race
condition between mgslpc_ioctl and mgslpc_detach. (CVE-2022-41848)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1124235");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1129770");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1154048");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1190317");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1199564");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1201309");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1202097");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1202385");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1202677");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1202960");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1203098");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1203107");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1203410");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1203424");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1203462");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1203552");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1203769");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1203933");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1203935");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1203987");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-20008");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-2503");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-2663");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-3239");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-3303");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-39188");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-41218");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-41848");
# https://lists.suse.com/pipermail/sle-security-updates/2022-October/012540.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e818b059");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-20008");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-3239");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/05/10");
script_set_attribute(attribute:"patch_publication_date", value:"2022/10/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/18");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-azure");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-azure-base");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-azure-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-devel-azure");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-source-azure");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms-azure");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item("Host/SuSE/release");
if (isnull(os_release) || os_release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
var os_ver = pregmatch(pattern: "^(SLE(S|D)(?:_SAP)?\d+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES12|SLES_SAP12)$", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12 / SLES_SAP12', 'SUSE (' + os_ver + ')');
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);
var service_pack = get_kb_item("Host/SuSE/patchlevel");
if (isnull(service_pack)) service_pack = "0";
if (os_ver == "SLES12" && (! preg(pattern:"^(5)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES12 SP5", os_ver + " SP" + service_pack);
if (os_ver == "SLES_SAP12" && (! preg(pattern:"^(5)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES_SAP12 SP5", os_ver + " SP" + service_pack);
var pkgs = [
{'reference':'kernel-azure-4.12.14-16.112.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'kernel-azure-base-4.12.14-16.112.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'kernel-azure-devel-4.12.14-16.112.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'kernel-devel-azure-4.12.14-16.112.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'kernel-source-azure-4.12.14-16.112.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'kernel-syms-azure-4.12.14-16.112.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'kernel-azure-4.12.14-16.112.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'kernel-azure-base-4.12.14-16.112.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'kernel-azure-devel-4.12.14-16.112.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'kernel-devel-azure-4.12.14-16.112.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'kernel-source-azure-4.12.14-16.112.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'kernel-syms-azure-4.12.14-16.112.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']}
];
var ltss_caveat_required = FALSE;
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var exists_check = NULL;
var rpm_spec_vers_cmp = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (reference && _release) {
if (exists_check) {
var check_flag = 0;
foreach var check (exists_check) {
if (!rpm_exists(release:_release, rpm:check)) continue;
check_flag++;
}
if (!check_flag) continue;
}
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_NOTE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-azure / kernel-azure-base / kernel-azure-devel / etc');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20008
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2503
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2663
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3239
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3303
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39188
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41218
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41848
www.nessus.org/u?e818b059
bugzilla.suse.com/1124235
bugzilla.suse.com/1129770
bugzilla.suse.com/1154048
bugzilla.suse.com/1190317
bugzilla.suse.com/1199564
bugzilla.suse.com/1201309
bugzilla.suse.com/1202097
bugzilla.suse.com/1202385
bugzilla.suse.com/1202677
bugzilla.suse.com/1202960
bugzilla.suse.com/1203098
bugzilla.suse.com/1203107
bugzilla.suse.com/1203410
bugzilla.suse.com/1203424
bugzilla.suse.com/1203462
bugzilla.suse.com/1203552
bugzilla.suse.com/1203769
bugzilla.suse.com/1203933
bugzilla.suse.com/1203935
bugzilla.suse.com/1203987
www.suse.com/security/cve/CVE-2022-20008
www.suse.com/security/cve/CVE-2022-2503
www.suse.com/security/cve/CVE-2022-2663
www.suse.com/security/cve/CVE-2022-3239
www.suse.com/security/cve/CVE-2022-3303
www.suse.com/security/cve/CVE-2022-39188
www.suse.com/security/cve/CVE-2022-41218
www.suse.com/security/cve/CVE-2022-41848
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
58.9%