SB2021061533 - SUSE update for the Linux Kernel
Published: June 15, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 52 secuirty vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2019-18814)
The vulnerability allows a local user to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when "aa_label_parse()" fails in "aa_audit_rule_init()" in security/apparmor/audit.c. A local user can execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
2) Use-after-free (CVE-ID: CVE-2019-19769)
The vulnerability allows a local privileged user to execute arbitrary code.
In the Linux kernel 5.3.10, there is a use-after-free (read) in the perf_trace_lock_acquire function (related to include/trace/events/lock.h).
3) Input validation error (CVE-ID: CVE-2020-24586)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in the 802.11 standard due to the affected device does not clear its cache/memory to remove fragments of an incomplete MSDU/MMPDU from previous session after reconnection/reassociation. A remote attacker on the local network can perform a fragment cache attack and perform a denial of service (DoS) attack.
4) Information disclosure (CVE-ID: CVE-2020-24587)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in Windows Wireless Networking. A remote attacker on the local network can gain unauthorized access to sensitive information on the system.
5) Spoofing attack (CVE-ID: CVE-2020-24588)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data in Windows Wireless Networking. A remote attacker on the local network can spoof page content.
6) Use-after-free (CVE-ID: CVE-2020-25670)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in the NFC LLCP protocol implementation. A local user can perform manipulation with an unknown input for the llcp_sock_bind() function to crash or escalate their privileges on the system.
7) Use-after-free (CVE-ID: CVE-2020-25671)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in the NFC LLCP protocol implementation. A local user can trigger the llcp_sock_connect() function to crash or escalate their privileges on the system.
8) Memory leak (CVE-ID: CVE-2020-25672)
The vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak in the NFC LLCP protocol implementation when triggering the llcp_sock_connect() function. A remote attacker can force the application to leak memory and perform denial of service attack.
9) Resource exhaustion (CVE-ID: CVE-2020-25673)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper control consumption of internal resources in non-blocking socket in llcp_sock_connect() function. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.
10) Input validation error (CVE-ID: CVE-2020-26139)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to forwarding EAPOL frames even though the sender is not yet authenticated. A remote attacker on the local network can cause a denial of service (DoS) condition on the target system.
11) Input validation error (CVE-ID: CVE-2020-26141)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. A remote attacker on the local network can inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
12) Input validation error (CVE-ID: CVE-2020-26145)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. A remote attacker on the local network can inject arbitrary network packets independent of the network configuration.
13) Input validation error (CVE-ID: CVE-2020-26147)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. A remote attacker on the local network can inject packets and/or exfiltrate selected fragments
14) Observable discrepancy (CVE-ID: CVE-2020-27170)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists in kernel/bpf/verifier.c due to kernel performs undesirable out-of-bounds speculation on
pointer arithmetic, leading to side-channel attacks that defeat Spectre
mitigations. A local user can run a specially crafted program to gain access to sensitive information.
15) Off-by-one (CVE-ID: CVE-2020-27171)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to an off-by-one error in kernel/bpf/verifier.c affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations. A local user can run a specially crafted program to gain access to sensitive information on the system.
16) Input validation error (CVE-ID: CVE-2020-27673)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the clear_linked(), consume_one_event(), __evtchn_fifo_handle_events() and evtchn_fifo_percpu_init() functions in drivers/xen/events/events_fifo.c, within the module_param(), DEFINE_RWLOCK(), enable_dynirq(), notify_remote_via_irq(), EXPORT_SYMBOL_GPL(), xen_irq_init(), xen_free_irq(), xen_send_IPI_one(), __xen_evtchn_do_upcall(), xen_setup_callback_vector(), xen_evtchn_cpu_prepare() and xen_init_IRQ() functions in drivers/xen/events/events_base.c, within the active_evtchns() and evtchn_2l_handle_events() functions in drivers/xen/events/events_2l.c. A local user can perform a denial of service (DoS) attack.
17) Out-of-bounds read (CVE-ID: CVE-2020-27815)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in fs/jfs/jfs_dmap.c. A local user can trigger out-of-bounds read error and crash the kernel.
18) Out-of-bounds read (CVE-ID: CVE-2020-35519)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the x25_bind() function in net/x25/af_x25.c in the Linux kernel. A local user can run a specially crafted program to read contents of memory on the system.
19) Infinite loop (CVE-ID: CVE-2020-36310)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in set_memory_region_test in arch/x86/kvm/svm/svm.c. A local user can consume all available system resources and cause denial of service conditions.
20) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-36311)
The vulnerability allows a local user to perform a denial of service attack.
The vulnerability exists due to an error in arch/x86/kvm/svm/sev.c in Linux kernel, which allows soft lockup by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions).
21) Memory leak (CVE-ID: CVE-2020-36312)
The vulnerability allows a local user to perform DoS attack on the target system.
The vulnerability exists in the KVM hypervisor of the Linux kernel. A local user can force the application to leak memory and perform denial of service attack.
22) Improper Resource Shutdown or Release (CVE-ID: CVE-2020-36322)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists in the FUSE filesystem implementation in the Linux kernel due to fuse_do_getattr() calls make_bad_inode() in inappropriate situations. A local user can run a specially crafted program to trigger kernel crash.
Note, the vulnerability exists due to incomplete fix for #VU58207 (CVE-2021-28950).
23) Input validation error (CVE-ID: CVE-2021-20268)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists in the Linux kernel's implementation of the eBPF code verifier in the way a user running the eBPF script calls dev_map_init_map or sock_map_alloc. A local user can crash the system or escalate privileges on the system.
24) Use-after-free (CVE-ID: CVE-2021-23134)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in nfc sockets in the Linux Kernel. A local user with the CAP_NET_RAW capability can trigger use-after-free and escalate privileges on the system.
25) Information disclosure (CVE-ID: CVE-2021-27363)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to the show_transport_handle() shows iSCSI transport handle to non-root users. A local user can gain unauthorized access to sensitive information and use it along with another vulnerability, such as #VU51452, to escalate privileges on the system.
26) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-27364)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to iscsi_if_recv_msg() allows non-root users to connect and send commands to the Linux kernel. A local user can escalate privileges on the system.
27) Buffer overflow (CVE-ID: CVE-2021-27365)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing Netlink messages in Linux kernel through 5.11.3, as certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. A local unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message, trigger memory corruption and execute arbitrary code on the system with elevated privileges.
28) Allocation of resources without limits or throttling (CVE-ID: CVE-2021-28038)
The vulnerability allows a local user to a crash the entire system.
The vulnerability exists due to allocation of resources without limits or throttling error within the xenvif_tx_action() function in drivers/net/xen-netback/netback.c. A local user can a crash the entire system.
29) Missing authorization (CVE-ID: CVE-2021-28375)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to missing authorization error within the fastrpc_internal_invoke() function in drivers/misc/fastrpc.c. A local user can execute arbitrary code.
30) Out-of-bounds write (CVE-ID: CVE-2021-28660)
The vulnerability allows a local user to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in the "rtw_wx_set_scan" in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c. A local user can trigger out-of-bounds write and execute arbitrary code on the target system.
31) Improper Initialization (CVE-ID: CVE-2021-28688)
The vulnerability allows a local user to perform a denial of service attack.
The vulnerability exists due to improper initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. A local user can perform a denial of service attack.
32) Excessive Iteration (CVE-ID: CVE-2021-28950)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to excessive iteration in fs/fuse/fuse_i.h in the Linux kernel. A local user can run a specially crafted program to perform a denial of service attack.
33) Buffer overflow (CVE-ID: CVE-2021-28952)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in the sound/soc/qcom/sdm845.c soundwire device driver in Linux kernel. A local user can run a specially crafted program to trigger a buffer overflow, when an unexpected port ID number is encountered, and execute arbitrary code on the system with elevated privileges.
34) Race condition (CVE-ID: CVE-2021-28964)
The vulnerability allows a local user to perform a denial of service attack.
The vulnerability exists due to a race condition in the get_old_root() function in fs/btrfs/ctree.c component in the Linux kernel. A local user can exploit the race and perform a denial of service attack.
35) Resource exhaustion (CVE-ID: CVE-2021-28971)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to mishandling of PEBS status in a PEBS record In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.
36) Buffer overflow (CVE-ID: CVE-2021-28972)
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the drivers/pci/hotplug/rpadlpar_sysfs.c. A local administrator can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
37) Command Injection (CVE-ID: CVE-2021-29154)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect computation of branch displacements within the BPF JIT compilers in the Linux kernel in arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. A local user can inject and execute arbitrary commands with elevated privileges.
38) Out-of-bounds read (CVE-ID: CVE-2021-29155)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists in retrieve_ptr_limit in kernel/bpf/verifier.c in the Linux kernel mechanism. A local, special user privileged (CAP_SYS_ADMIN) BPF program running on affected systems may bypass the protection, and execute speculatively out-of-bounds loads from the kernel memory.
39) Input validation error (CVE-ID: CVE-2021-29264)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the gfar_add_rx_frag() and gfar_clean_rx_ring() functions in drivers/net/ethernet/freescale/gianfar.c. A local user can perform a denial of service (DoS) attack.
40) Race condition (CVE-ID: CVE-2021-29265)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a race condition within the usbip_sockfd_store() function in drivers/usb/usbip/stub_dev.c. A local user can perform a denial of service (DoS) attack.
41) Information disclosure (CVE-ID: CVE-2021-29647)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to an error in qrtr_recvmsg(0 function in net/qrtr/qrtr.c caused by a partially uninitialized data structure. A local user can read sensitive information from kernel memory.
42) Buffer overflow (CVE-ID: CVE-2021-29650)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the netfilter subsystem in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h. A local user can trigger memory corruption upon the assignment of a new table value and cause denial of service.
43) Memory leak (CVE-ID: CVE-2021-30002)
The vulnerability allows a local user to perform DoS attack on the target system.
The vulnerability exists due memory leak within the webcam support driver in video_usercopy() function in drivers/media/v4l2-core/v4l2-ioctl.c in Linux kernel. A local user can trigger leak memory and perform denial of service attack.
44) Race condition (CVE-ID: CVE-2021-32399)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition for removal of the HCI controller within net/bluetooth/hci_request.c in the Linux kernel. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.
45) Use-after-free (CVE-ID: CVE-2021-33034)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in net/bluetooth/hci_event.c when destroying an hci_chan. A local user can escalate privileges on the system.
46) Out-of-bounds write (CVE-ID: CVE-2021-33200)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in kernel/bpf/verifier.c. A local user can trigger an out-of-bounds write and escalate privileges on the system.
47) Integer overflow (CVE-ID: CVE-2021-3428)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow in fs/ext4/extents.c in ext4_es_cache_extent() function, if an extent tree is corrupted in a crafted ext4 filesystem. A local user can mount a specially crafted filesystem and perform a denial of service (DoS) attack.
48) Out-of-bounds read (CVE-ID: CVE-2021-3444)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to an out-of-bounds read error within the fixup_bpf_calls() function in kernel/bpf/verifier.c. A local user can execute arbitrary code.
49) Use-after-free (CVE-ID: CVE-2021-3483)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in the Nosy driver in the Linux kernel. A local user can trigger use-after-free and to escalate privileges on the system.
50) Out-of-bounds read (CVE-ID: CVE-2021-3489)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to an out-of-bounds read error within the __bpf_ringbuf_reserve() function in kernel/bpf/ringbuf.c. A local user can execute arbitrary code.
51) Out-of-bounds write (CVE-ID: CVE-2021-3490)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing untrusted input in bpf. The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the
Linux kernel did not properly update 32-bit bounds, which could be
turned into out of bounds reads and writes in the Linux kernel and
therefore, arbitrary code execution. A local user can run a specially crafted program to trigger an out-of-bounds write and execute arbitrary code with elevated privileges.
52) Out-of-bounds write (CVE-ID: CVE-2021-3491)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS
operation, which led to negative values being used in mem_rw when reading
/proc/<PID>/mem. A local user can trigger a heap overflow and execute arbitrary code with elevated privileges.
Remediation
Install update from vendor's website.