The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3648-1 advisory.
An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations. (CVE-2022-39189)
mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is not held during a PUD move. (CVE-2022-41222)
An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c. (CVE-2022-41674)
A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code. (CVE-2022-42719)
Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after- free conditions to potentially execute code. (CVE-2022-42720)
A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code. (CVE-2022-42721)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# SUSE update advisory SUSE-SU-2022:3648-1. The text itself
# is copyright (C) SUSE.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(166247);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/13");
script_cve_id(
"CVE-2022-39189",
"CVE-2022-41222",
"CVE-2022-41674",
"CVE-2022-42719",
"CVE-2022-42720",
"CVE-2022-42721"
);
script_xref(name:"SuSE", value:"SUSE-SU-2022:3648-1");
script_name(english:"SUSE SLES15 Security Update : kernel (Live Patch 11 for SLE 15 SP3) (SUSE-SU-2022:3648-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as
referenced in the SUSE-SU-2022:3648-1 advisory.
- An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users
can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED
situations. (CVE-2022-39189)
- mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is
not held during a PUD move. (CVE-2022-41222)
- An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could
cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c. (CVE-2022-41674)
- A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through
5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and
potentially execute code. (CVE-2022-42719)
- Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through
5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-
free conditions to potentially execute code. (CVE-2022-42720)
- A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before
5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in
turn, potentially execute code. (CVE-2022-42721)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1203067");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1203624");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1203994");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1204290");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1204291");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1204292");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-39189");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-41222");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-41674");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-42719");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-42720");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-42721");
# https://lists.suse.com/pipermail/sle-security-updates/2022-October/012567.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7184e246");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel-livepatch-5_3_18-150200_24_126-default and / or kernel-livepatch-5_3_18-59_40-default
packages.");
script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-42719");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/09/02");
script_set_attribute(attribute:"patch_publication_date", value:"2022/10/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/19");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-livepatch-5_3_18-150200_24_126-default");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-livepatch-5_3_18-59_40-default");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item("Host/SuSE/release");
if (isnull(os_release) || os_release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
var os_ver = pregmatch(pattern: "^(SLE(S|D)(?:_SAP)?\d+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES15|SLES_SAP15)$", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15 / SLES_SAP15', 'SUSE (' + os_ver + ')');
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);
var service_pack = get_kb_item("Host/SuSE/patchlevel");
if (isnull(service_pack)) service_pack = "0";
if (os_ver == "SLES15" && (! preg(pattern:"^(2|3)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES15 SP2/3", os_ver + " SP" + service_pack);
if (os_ver == "SLES_SAP15" && (! preg(pattern:"^(2|3)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES_SAP15 SP2/3", os_ver + " SP" + service_pack);
var pkgs = [
{'reference':'kernel-livepatch-5_3_18-150200_24_126-default-4-150200.2.1', 'sp':'2', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.2']},
{'reference':'kernel-livepatch-5_3_18-59_40-default-16-150300.2.2', 'sp':'3', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},
{'reference':'kernel-livepatch-5_3_18-150200_24_126-default-4-150200.2.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.2', 'sle-module-live-patching-release-15.2', 'sles-release-15.2']},
{'reference':'kernel-livepatch-5_3_18-59_40-default-16-150300.2.2', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.3', 'sle-module-live-patching-release-15.3', 'sles-release-15.3']}
];
var ltss_caveat_required = FALSE;
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var exists_check = NULL;
var rpm_spec_vers_cmp = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (reference && _release) {
if (exists_check) {
var check_flag = 0;
foreach var check (exists_check) {
if (!rpm_exists(release:_release, rpm:check)) continue;
check_flag++;
}
if (!check_flag) continue;
}
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-livepatch-5_3_18-150200_24_126-default / etc');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39189
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41222
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41674
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42719
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42720
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42721
www.nessus.org/u?7184e246
bugzilla.suse.com/1203067
bugzilla.suse.com/1203624
bugzilla.suse.com/1203994
bugzilla.suse.com/1204290
bugzilla.suse.com/1204291
bugzilla.suse.com/1204292
www.suse.com/security/cve/CVE-2022-39189
www.suse.com/security/cve/CVE-2022-41222
www.suse.com/security/cve/CVE-2022-41674
www.suse.com/security/cve/CVE-2022-42719
www.suse.com/security/cve/CVE-2022-42720
www.suse.com/security/cve/CVE-2022-42721