The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3324-1 advisory.
In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq’s, which allows attackers to cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other impact by inducing a high load. (CVE-2018-20784)
Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (CVE-2018-3639)
Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2022-40982)
Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the access_ok check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 (CVE-2023-0459)
A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks. (CVE-2023-1637)
A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled?address, potentially leading to information disclosure. (CVE-2023-20569)
An issue in Zen 2 CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. (CVE-2023-20593)
A use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem. (CVE-2023-2985)
A NULL pointer dereference vulnerability was found in netlink_dump. This issue can occur when the Netlink socket receives the message(sendmsg) for the XFRM_MSG_GETSA, XFRM_MSG_GETPOLICY type message, and the DUMP flag is set and can cause a denial of service or possibly another unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2023-3106)
An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information. (CVE-2023-3268)
Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace (CVE-2023-35001)
A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This flaw allows an attacker with local user access to cause a system crash or leak internal kernel information. (CVE-2023-3567)
An out-of-bounds write vulnerability in the Linux kernel’s net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out- of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)
A use-after-free vulnerability in the Linux kernel’s net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
(CVE-2023-3776)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# SUSE update advisory SUSE-SU-2023:3324-1. The text itself
# is copyright (C) SUSE.
##
include('compat.inc');
if (description)
{
script_id(179914);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/08/17");
script_cve_id(
"CVE-2018-3639",
"CVE-2018-20784",
"CVE-2022-40982",
"CVE-2023-0459",
"CVE-2023-1637",
"CVE-2023-2985",
"CVE-2023-3106",
"CVE-2023-3268",
"CVE-2023-3567",
"CVE-2023-3611",
"CVE-2023-3776",
"CVE-2023-20569",
"CVE-2023-20593",
"CVE-2023-35001"
);
script_xref(name:"SuSE", value:"SUSE-SU-2023:3324-1");
script_name(english:"SUSE SLES12 Security Update : kernel (SUSE-SU-2023:3324-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in
the SUSE-SU-2023:3324-1 advisory.
- In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to
cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other
impact by inducing a high load. (CVE-2018-20784)
- Systems with microprocessors utilizing speculative execution and speculative execution of memory reads
before the addresses of all prior memory writes are known may allow unauthorized disclosure of information
to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB),
Variant 4. (CVE-2018-3639)
- Information exposure through microarchitectural state after transient execution in certain vector
execution units for some Intel(R) Processors may allow an authenticated user to potentially enable
information disclosure via local access. (CVE-2022-40982)
- Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec
allowing a user to bypass the access_ok check and pass a kernel pointer to copy_from_user(). This would
allow an attacker to leak information. We recommend upgrading beyond commit
74e19ef0ff8061ef55957c3abd71614ef0f42f47 (CVE-2023-0459)
- A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the
Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from
suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of
the CPU similar to the speculative execution behavior kind of attacks. (CVE-2023-1637)
- A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address
prediction. This may result in speculative execution at an attacker-controlled?address, potentially
leading to information disclosure. (CVE-2023-20569)
- An issue in Zen 2 CPUs, under specific microarchitectural circumstances, may allow an attacker to
potentially access sensitive information. (CVE-2023-20593)
- A use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw
could allow a local user to cause a denial of service problem. (CVE-2023-2985)
- A NULL pointer dereference vulnerability was found in netlink_dump. This issue can occur when the Netlink
socket receives the message(sendmsg) for the XFRM_MSG_GETSA, XFRM_MSG_GETPOLICY type message, and the DUMP
flag is set and can cause a denial of service or possibly another unspecified impact. Due to the nature of
the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2023-3106)
- An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in
kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel
internal information. (CVE-2023-3268)
- Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register
contents when CAP_NET_ADMIN is in any user or network namespace (CVE-2023-35001)
- A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux
Kernel. This flaw allows an attacker with local user access to cause a system crash or leak internal
kernel information. (CVE-2023-3567)
- An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited
to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-
of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend
upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)
- A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to
achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an
error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can
control the reference counter and set it to zero, they can cause the reference to be freed, leading to a
use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
(CVE-2023-3776)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1087082");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1126703");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1206418");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1207561");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1209779");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1210584");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1211738");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1211867");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1212502");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1213059");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1213167");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1213251");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1213286");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1213287");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1213585");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1213588");
script_set_attribute(attribute:"see_also", value:"https://lists.suse.com/pipermail/sle-updates/2023-August/031024.html");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-20784");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-3639");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-40982");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-0459");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-1637");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-20569");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-20593");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-2985");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-3106");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-3268");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-35001");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-3567");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-3611");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-3776");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-20784");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/21");
script_set_attribute(attribute:"patch_publication_date", value:"2023/08/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/08/17");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-macros");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-source");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item("Host/SuSE/release");
if (isnull(os_release) || os_release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
var os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12', 'SUSE (' + os_ver + ')');
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);
var service_pack = get_kb_item("Host/SuSE/patchlevel");
if (isnull(service_pack)) service_pack = "0";
if (os_ver == "SLES12" && (! preg(pattern:"^(2)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES12 SP2", os_ver + " SP" + service_pack);
var pkgs = [
{'reference':'kernel-default-4.4.121-92.208.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.2']},
{'reference':'kernel-default-base-4.4.121-92.208.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.2']},
{'reference':'kernel-default-devel-4.4.121-92.208.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.2']},
{'reference':'kernel-devel-4.4.121-92.208.1', 'sp':'2', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.2']},
{'reference':'kernel-macros-4.4.121-92.208.1', 'sp':'2', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.2']},
{'reference':'kernel-source-4.4.121-92.208.1', 'sp':'2', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.2']},
{'reference':'kernel-syms-4.4.121-92.208.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.2']}
];
var ltss_caveat_required = FALSE;
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var exists_check = NULL;
var rpm_spec_vers_cmp = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (reference && _release) {
if (exists_check) {
var check_flag = 0;
foreach var check (exists_check) {
if (!rpm_exists(release:_release, rpm:check)) continue;
check_flag++;
}
if (!check_flag) continue;
}
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-default / kernel-default-base / kernel-default-devel / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
novell | suse_linux | 12 | cpe:/o:novell:suse_linux:12 |
novell | suse_linux | kernel-default | p-cpe:/a:novell:suse_linux:kernel-default |
novell | suse_linux | kernel-default-base | p-cpe:/a:novell:suse_linux:kernel-default-base |
novell | suse_linux | kernel-default-devel | p-cpe:/a:novell:suse_linux:kernel-default-devel |
novell | suse_linux | kernel-devel | p-cpe:/a:novell:suse_linux:kernel-devel |
novell | suse_linux | kernel-macros | p-cpe:/a:novell:suse_linux:kernel-macros |
novell | suse_linux | kernel-source | p-cpe:/a:novell:suse_linux:kernel-source |
novell | suse_linux | kernel-syms | p-cpe:/a:novell:suse_linux:kernel-syms |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20784
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0459
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1637
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2985
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3106
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3268
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35001
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3567
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3611
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3776
bugzilla.suse.com/1087082
bugzilla.suse.com/1126703
bugzilla.suse.com/1206418
bugzilla.suse.com/1207561
bugzilla.suse.com/1209779
bugzilla.suse.com/1210584
bugzilla.suse.com/1211738
bugzilla.suse.com/1211867
bugzilla.suse.com/1212502
bugzilla.suse.com/1213059
bugzilla.suse.com/1213167
bugzilla.suse.com/1213251
bugzilla.suse.com/1213286
bugzilla.suse.com/1213287
bugzilla.suse.com/1213585
bugzilla.suse.com/1213588
lists.suse.com/pipermail/sle-updates/2023-August/031024.html
www.suse.com/security/cve/CVE-2018-20784
www.suse.com/security/cve/CVE-2018-3639
www.suse.com/security/cve/CVE-2022-40982
www.suse.com/security/cve/CVE-2023-0459
www.suse.com/security/cve/CVE-2023-1637
www.suse.com/security/cve/CVE-2023-20569
www.suse.com/security/cve/CVE-2023-20593
www.suse.com/security/cve/CVE-2023-2985
www.suse.com/security/cve/CVE-2023-3106
www.suse.com/security/cve/CVE-2023-3268
www.suse.com/security/cve/CVE-2023-35001
www.suse.com/security/cve/CVE-2023-3567
www.suse.com/security/cve/CVE-2023-3611
www.suse.com/security/cve/CVE-2023-3776