SUSE update for Security Beta update for SUSE Manager Client Tools

Published: 2022-02-02

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2021-39226 CVE-2021-43813
CWE-ID	CWE-284 CWE-22
Exploitation vector	Network
Public exploit	Vulnerability #1 is being exploited in the wild.
Vulnerable software	SUSE Manager Tools Operating systems & Components / Operating system zypp-plugin-spacewalk Operating systems & Components / Operating system package or component suseRegisterInfo Operating systems & Components / Operating system package or component spacewalk-remote-utils Operating systems & Components / Operating system package or component spacewalk-oscap Operating systems & Components / Operating system package or component spacewalk-koan Operating systems & Components / Operating system package or component spacewalk-client-tools Operating systems & Components / Operating system package or component spacewalk-client-setup Operating systems & Components / Operating system package or component spacewalk-check Operating systems & Components / Operating system package or component spacecmd Operating systems & Components / Operating system package or component salt-zsh-completion Operating systems & Components / Operating system package or component salt-fish-completion Operating systems & Components / Operating system package or component salt-bash-completion Operating systems & Components / Operating system package or component python3-zypp-plugin-spacewalk Operating systems & Components / Operating system package or component python3-suseRegisterInfo Operating systems & Components / Operating system package or component python3-spacewalk-oscap Operating systems & Components / Operating system package or component python3-spacewalk-koan Operating systems & Components / Operating system package or component python3-spacewalk-client-tools Operating systems & Components / Operating system package or component python3-spacewalk-client-setup Operating systems & Components / Operating system package or component python3-spacewalk-check Operating systems & Components / Operating system package or component python3-rhnlib Operating systems & Components / Operating system package or component python3-mgr-virtualization-host Operating systems & Components / Operating system package or component python3-mgr-virtualization-common Operating systems & Components / Operating system package or component python3-mgr-push Operating systems & Components / Operating system package or component python3-mgr-osad Operating systems & Components / Operating system package or component python3-mgr-osa-common Operating systems & Components / Operating system package or component python3-mgr-cfg-management Operating systems & Components / Operating system package or component python3-mgr-cfg-client Operating systems & Components / Operating system package or component python3-mgr-cfg-actions Operating systems & Components / Operating system package or component python3-mgr-cfg Operating systems & Components / Operating system package or component python3-hwdata Operating systems & Components / Operating system package or component mgr-virtualization-host Operating systems & Components / Operating system package or component mgr-push Operating systems & Components / Operating system package or component mgr-osad Operating systems & Components / Operating system package or component mgr-custom-info Operating systems & Components / Operating system package or component mgr-cfg-management Operating systems & Components / Operating system package or component mgr-cfg-client Operating systems & Components / Operating system package or component mgr-cfg-actions Operating systems & Components / Operating system package or component mgr-cfg Operating systems & Components / Operating system package or component ansible-doc Operating systems & Components / Operating system package or component ansible Operating systems & Components / Operating system package or component salt-syndic Operating systems & Components / Operating system package or component salt-standalone-formulas-configuration Operating systems & Components / Operating system package or component salt-ssh Operating systems & Components / Operating system package or component salt-proxy Operating systems & Components / Operating system package or component salt-minion Operating systems & Components / Operating system package or component salt-master Operating systems & Components / Operating system package or component salt-doc Operating systems & Components / Operating system package or component salt-cloud Operating systems & Components / Operating system package or component salt-api Operating systems & Components / Operating system package or component salt Operating systems & Components / Operating system package or component python3-uyuni-common-libs Operating systems & Components / Operating system package or component python3-salt Operating systems & Components / Operating system package or component grafana Operating systems & Components / Operating system package or component
Vendor	SUSE

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU57320

Risk: Medium

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:A/U:Green]

CVE-ID: CVE-2021-39226

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions to database snapshots. Remote unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey.

Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.

Mitigation

Update the affected package Security Beta update for SUSE Manager Client Tools to the latest version.

Vulnerable software versions

SUSE Manager Tools: 15 BETA

zypp-plugin-spacewalk: before 1.0.11-159000.6.18.3

suseRegisterInfo: before 4.3.2-159000.6.18.3

spacewalk-remote-utils: before 4.3.2-159000.6.12.3

spacewalk-oscap: before 4.3.2-159000.6.12.3

spacewalk-koan: before 4.3.2-159000.6.12.3

spacewalk-client-tools: before 4.3.5-159000.6.36.5

spacewalk-client-setup: before 4.3.5-159000.6.36.5

spacewalk-check: before 4.3.5-159000.6.36.5

spacecmd: before 4.3.5-159000.6.30.3

salt-zsh-completion: before 3003.3-159000.8.47.2

salt-fish-completion: before 3003.3-159000.8.47.2

salt-bash-completion: before 3003.3-159000.8.47.2

python3-zypp-plugin-spacewalk: before 1.0.11-159000.6.18.3

python3-suseRegisterInfo: before 4.3.2-159000.6.18.3

python3-spacewalk-oscap: before 4.3.2-159000.6.12.3

python3-spacewalk-koan: before 4.3.2-159000.6.12.3

python3-spacewalk-client-tools: before 4.3.5-159000.6.36.5

python3-spacewalk-client-setup: before 4.3.5-159000.6.36.5

python3-spacewalk-check: before 4.3.5-159000.6.36.5

python3-rhnlib: before 4.3.2-159000.6.21.3

python3-mgr-virtualization-host: before 4.3.2-159000.4.12.3

python3-mgr-virtualization-common: before 4.3.2-159000.4.12.3

python3-mgr-push: before 4.3.2-159000.4.12.4

python3-mgr-osad: before 4.3.3-159000.4.21.4

python3-mgr-osa-common: before 4.3.3-159000.4.21.4

python3-mgr-cfg-management: before 4.3.4-159000.4.20.2

python3-mgr-cfg-client: before 4.3.4-159000.4.20.2

python3-mgr-cfg-actions: before 4.3.4-159000.4.20.2

python3-mgr-cfg: before 4.3.4-159000.4.20.2

python3-hwdata: before 2.3.5-159000.5.10.3

mgr-virtualization-host: before 4.3.2-159000.4.12.3

mgr-push: before 4.3.2-159000.4.12.4

mgr-osad: before 4.3.3-159000.4.21.4

mgr-custom-info: before 4.3.3-159000.4.12.3

mgr-cfg-management: before 4.3.4-159000.4.20.2

mgr-cfg-client: before 4.3.4-159000.4.20.2

mgr-cfg-actions: before 4.3.4-159000.4.20.2

mgr-cfg: before 4.3.4-159000.4.20.2

ansible-doc: before 2.9.21-159000.3.6.2

ansible: before 2.9.21-159000.3.6.2

salt-syndic: before 3003.3-159000.8.47.2

salt-standalone-formulas-configuration: before 3003.3-159000.8.47.2

salt-ssh: before 3003.3-159000.8.47.2

salt-proxy: before 3003.3-159000.8.47.2

salt-minion: before 3003.3-159000.8.47.2

salt-master: before 3003.3-159000.8.47.2

salt-doc: before 3003.3-159000.8.47.2

salt-cloud: before 3003.3-159000.8.47.2

salt-api: before 3003.3-159000.8.47.2

salt: before 3003.3-159000.8.47.2

python3-uyuni-common-libs: before 4.3.2-159000.3.24.4

python3-salt: before 3003.3-159000.8.47.2

grafana: before 7.5.12-159000.4.18.3

CPE2.3

External links

https://www.suse.com/support/update/announcement/2022/suse-su-20220311-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

2) Path traversal

EUVDB-ID: #VU64273

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-43813

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No