SUSE: Security Advisory (SUSE-SU-2019:1829-1)

# SPDX-FileCopyrightText: 2021 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.1.4.2019.1829.1");
  script_cve_id("CVE-2018-16871", "CVE-2018-20836", "CVE-2019-10126", "CVE-2019-10638", "CVE-2019-10639", "CVE-2019-11599", "CVE-2019-12380", "CVE-2019-12456", "CVE-2019-12614", "CVE-2019-12818", "CVE-2019-12819");
  script_tag(name:"creation_date", value:"2021-06-09 14:57:22 +0000 (Wed, 09 Jun 2021)");
  script_version("2024-02-02T14:37:50+0000");
  script_tag(name:"last_modification", value:"2024-02-02 14:37:50 +0000 (Fri, 02 Feb 2024)");
  script_tag(name:"cvss_base", value:"9.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2019-06-17 14:11:17 +0000 (Mon, 17 Jun 2019)");

  script_name("SUSE: Security Advisory (SUSE-SU-2019:1829-1)");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2021 Greenbone AG");
  script_family("SuSE Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/suse_sles", "ssh/login/rpms", re:"ssh/login/release=(SLES15\.0)");

  script_xref(name:"Advisory-ID", value:"SUSE-SU-2019:1829-1");
  script_xref(name:"URL", value:"https://www.suse.com/support/update/announcement/2019/suse-su-20191829-1/");

  script_tag(name:"summary", value:"The remote host is missing an update for the 'Linux Kernel' package(s) announced via the SUSE-SU-2019:1829-1 advisory.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");

  script_tag(name:"insight", value:"The SUSE Linux Enterprise 15 kernel version 4.12.14 was updated to receive various security and bugfixes.

The following security bugs were fixed:
CVE-2019-10638: Attackers used to be able to track the Linux kernel by
 the IP ID values the kernel produces for connection-less protocols. When
 such traffic was sent to multiple destination IP addresses, it was
 possible to
 obtain hash collisions (of indices to the counter array) and thereby
 obtain the hashing key (via enumeration). An attack could have been
 conducted by hosting a crafted web page that uses WebRTC or gQUIC to
 force UDP traffic to attacker-controlled IP addresses. [bnc#1140575]
CVE-2019-10639: The Linux kernel used to allow Information Exposure
 (partial kernel address disclosure), leading to a KASLR bypass.
 Specifically, it was possible to extract the KASLR kernel image offset
 using the IP ID values the kernel produces for connection-less
 protocols. When such traffic was sent to multiple destination IP
 addresses, it was possible to obtain hash collisions (of indices to the
 counter array) and thereby obtain the hashing key (via enumeration).
 This key contains enough bits from a kernel address (of a static
 variable) so when the key was extracted (via enumeration), the offset
 of the kernel image was exposed. This attack could be carried out
 remotely by the attacker forcing the target device to send UDP or ICMP
 traffic to attacker-controlled IP addresses. Forcing a server to send
 UDP traffic is trivial if the server is a DNS server. ICMP traffic is
 trivial if the server answers ICMP Echo requests (ping). For client
 targets, if the target visits the attacker's web page, then WebRTC or
 gQUIC can be used to force UDP traffic to attacker-controlled IP
 addresses. [bnc#1140577]
CVE-2018-20836: A race condition used to exist in smp_task_timedout()
 and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a
 use-after-free. [bnc#1134395]
CVE-2019-10126: A heap based buffer overflow in the wireless driver code
 was fixed. This issue might have lead to memory corruption and possibly
 other consequences. [bnc#1136935]
CVE-2019-11599: The coredump implementation did not use locking or other
 mechanisms to prevent vma layout or vma flags changes while it ran,
 which allowed local users to obtain sensitive information, cause a
 denial of service, or possibly have unspecified other impact by
 triggering a race condition with mmget_not_zero or get_task_mm calls.
 [bnc#1131645].
CVE-2019-12614: There was an unchecked kstrdup of prop->name on PowerPC
 platforms, which allowed an attacker to cause a denial of service (NULL
 pointer dereference and system crash). [bnc#1137194]
CVE-2018-16871: A flaw was found in the NFS implementation. An attacker
 who was able to mount an exported NFS filesystem was able to trigger a
 null pointer dereference by an invalid NFS sequence. This could panic
 the machine ... [Please see the references for more information on the vulnerabilities]");

  script_tag(name:"affected", value:"'Linux Kernel' package(s) on SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1, SUSE Linux Enterprise Module for Public Cloud 15.");

  script_tag(name:"solution", value:"Please install the updated package(s).");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"package");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release)
  exit(0);

res = "";
report = "";

if(release == "SLES15.0") {

  if(!isnull(res = isrpmvuln(pkg:"kernel-azure", rpm:"kernel-azure~4.12.14~5.33.1", rls:"SLES15.0"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-azure-base", rpm:"kernel-azure-base~4.12.14~5.33.1", rls:"SLES15.0"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-azure-base-debuginfo", rpm:"kernel-azure-base-debuginfo~4.12.14~5.33.1", rls:"SLES15.0"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-azure-debuginfo", rpm:"kernel-azure-debuginfo~4.12.14~5.33.1", rls:"SLES15.0"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-azure-devel", rpm:"kernel-azure-devel~4.12.14~5.33.1", rls:"SLES15.0"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-devel-azure", rpm:"kernel-devel-azure~4.12.14~5.33.1", rls:"SLES15.0"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-source-azure", rpm:"kernel-source-azure~4.12.14~5.33.1", rls:"SLES15.0"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-syms-azure", rpm:"kernel-syms-azure~4.12.14~5.33.1", rls:"SLES15.0"))) {
    report += res;
  }

  if(report != "") {
    security_message(data:report);
  } else if(__pkg_match) {
    exit(99);
  }
  exit(0);
}

exit(0);