The remote SUSE Linux SLES15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:4801-1 advisory.
Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape. (CVE-2023-2163)
A use-after-free vulnerability in the Linux kernel’s netfilter: nf_tables component can be exploited to achieve local privilege escalation. When nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain’s owner rule can also release the objects in certain circumstances. We recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.
(CVE-2023-3777)
A use-after-free vulnerability in the Linux kernel’s af_unix component can be exploited to achieve local privilege escalation. The unix_stream_sendpage() function tries to add data to the last skb in the peer’s recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free. We recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c. (CVE-2023-4622)
A use-after-free vulnerability in the Linux kernel’s fs/smb/client component can be exploited to achieve local privilege escalation. In case of an error in smb3_fs_context_parse_param, ctx->password was freed but the field was not set to NULL which could lead to double free. We recommend upgrading past commit e6e43b8aa7cd3c3af686caf0c2e11819a886d705. (CVE-2023-5345)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# SUSE update advisory SUSE-SU-2023:4801-1. The text itself
# is copyright (C) SUSE.
##
include('compat.inc');
if (description)
{
script_id(186880);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/21");
script_cve_id(
"CVE-2023-2163",
"CVE-2023-3777",
"CVE-2023-4622",
"CVE-2023-5345"
);
script_xref(name:"SuSE", value:"SUSE-SU-2023:4801-1");
script_name(english:"SUSE SLES15 Security Update : kernel (Live Patch 18 for SLE 15 SP4) (SUSE-SU-2023:4801-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SLES15 host has a package installed that is affected by multiple vulnerabilities as referenced in
the SUSE-SU-2023:4801-1 advisory.
- Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly
marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and
container escape. (CVE-2023-2163)
- A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to
achieve local privilege escalation. When nf_tables_delrule() is flushing table rules, it is not checked
whether the chain is bound and the chain's owner rule can also release the objects in certain
circumstances. We recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.
(CVE-2023-3777)
- A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local
privilege escalation. The unix_stream_sendpage() function tries to add data to the last skb in the peer's
recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an
skb locklessly that is being released by garbage collection, resulting in use-after-free. We recommend
upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c. (CVE-2023-4622)
- A use-after-free vulnerability in the Linux kernel's fs/smb/client component can be exploited to achieve
local privilege escalation. In case of an error in smb3_fs_context_parse_param, ctx->password was freed
but the field was not set to NULL which could lead to double free. We recommend upgrading past commit
e6e43b8aa7cd3c3af686caf0c2e11819a886d705. (CVE-2023-5345)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1215097");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1215442");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1215519");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1215971");
# https://lists.suse.com/pipermail/sle-security-updates/2023-December/017337.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cf5fdeba");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-2163");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-3777");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-4622");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-5345");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel-livepatch-5_14_21-150400_24_88-default package.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-5345");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-2163");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/05/11");
script_set_attribute(attribute:"patch_publication_date", value:"2023/12/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/12/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-livepatch-5_14_21-150400_24_88-default");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item("Host/SuSE/release");
if (isnull(os_release) || os_release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
var os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15', 'SUSE (' + os_ver + ')');
var uname_r = get_kb_item("Host/uname-r");
if (empty_or_null(uname_r)) audit(AUDIT_UNKNOWN_APP_VER, "kernel");
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);
var service_pack = get_kb_item("Host/SuSE/patchlevel");
if (isnull(service_pack)) service_pack = "0";
if (os_ver == "SLES15" && (! preg(pattern:"^(4)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES15 SP4", os_ver + " SP" + service_pack);
var kernel_live_checks = [
{
'kernels': {
'5.14.21-150400.24.88-default': {
'pkgs': [
{'reference':'kernel-livepatch-5_14_21-150400_24_88-default-3-150400.2.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-live-patching-release-15.4']}
]
}
}
}
];
var ltss_caveat_required = FALSE;
var flag = 0;
var kernel_affected = FALSE;
foreach var kernel_array ( kernel_live_checks ) {
var kpatch_details = kernel_array['kernels'][uname_r];
if (empty_or_null(kpatch_details)) continue;
kernel_affected = TRUE;
foreach var package_array ( kpatch_details['pkgs'] ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var exists_check = NULL;
var rpm_spec_vers_cmp = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (reference && _release) {
if (exists_check) {
var check_flag = 0;
foreach var check (exists_check) {
if (!rpm_exists(release:_release, rpm:check)) continue;
check_flag++;
}
if (!check_flag) continue;
}
}
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
}
}
# No kpatch details found for the running kernel version
if (!kernel_affected) audit(AUDIT_INST_VER_NOT_VULN, 'kernel', uname_r);
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-livepatch-5_14_21-150400_24_88-default');
}
Vendor | Product | Version | CPE |
---|---|---|---|
novell | suse_linux | kernel-livepatch-5_14_21-150400_24_88-default | p-cpe:/a:novell:suse_linux:kernel-livepatch-5_14_21-150400_24_88-default |
novell | suse_linux | 15 | cpe:/o:novell:suse_linux:15 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2163
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3777
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4622
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5345
www.nessus.org/u?cf5fdeba
bugzilla.suse.com/1215097
bugzilla.suse.com/1215442
bugzilla.suse.com/1215519
bugzilla.suse.com/1215971
www.suse.com/security/cve/CVE-2023-2163
www.suse.com/security/cve/CVE-2023-3777
www.suse.com/security/cve/CVE-2023-4622
www.suse.com/security/cve/CVE-2023-5345