Описание
Security update for the Linux Kernel
The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484).
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111)
- CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062)
- CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060)
- CVE-2021-23133: Fixed a race condition in SCTP sockets, which could lead to privilege escalation from the context of a network service or an unprivileged process. (bnc#1184675)
- CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642).
- CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
- CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859).
- CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862).
- CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859).
- CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860)
- CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987)
The following non-security bugs were fixed:
- Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725).
- Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725).
- dm: fix redundant IO accounting for bios that need splitting (bsc#1183738).
- ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043).
- ibmvfc: Handle move login failure (bsc#1185938 ltc#192043).
- ibmvfc: Reinit target retries (bsc#1185938 ltc#192043).
- kabi: Fix breakage in NVMe driver (bsc#1181161).
- kabi: Fix nvmet error log definitions (bsc#1181161).
- kabi: nvme: fix fast_io_fail_tmo (bsc#1181161).
- md/raid1: properly indicate failure when ending a failed write request (bsc#1185680).
- net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405)
- netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950).
- netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950).
- netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950).
- netfilter: conntrack: tcp: only close if RST matches exact sequence (bsc#1183947 bsc#1185950).
- nvme-fabrics: allow to queue requests for live queues (bsc#1181161).
- nvme-fabrics: do not check state NVME_CTRL_NEW for request acceptance (bsc#1181161).
- nvme-fabrics: reject I/O to offline device (bsc#1181161).
- nvme-pci: Sync queues on reset (bsc#1181161).
- nvme-rdma: avoid race between time out and tear down (bsc#1181161).
- nvme-rdma: avoid repeated request completion (bsc#1181161).
- nvme-rdma: avoid request double completion for concurrent nvme_rdma_timeout (bsc#1181161).
- nvme-rdma: fix controller reset hang during traffic (bsc#1181161).
- nvme-rdma: fix possible hang when failing to set io queues (bsc#1181161).
- nvme-rdma: fix timeout handler (bsc#1181161).
- nvme-rdma: serialize controller teardown sequences (bsc#1181161).
- nvme-tcp: avoid race between time out and tear down (bsc#1181161).
- nvme-tcp: avoid repeated request completion (bsc#1181161).
- nvme-tcp: avoid request double completion for concurrent nvme_tcp_timeout (bsc#1181161).
- nvme-tcp: fix controller reset hang during traffic (bsc#1181161).
- nvme-tcp: fix possible hang when failing to set io queues (bsc#1181161).
- nvme-tcp: fix timeout handler (bsc#1181161).
- nvme-tcp: serialize controller teardown sequences (bsc#1181161).
- nvme: Restart request timers in resetting state (bsc#1181161).
- nvme: add error log page slot definition (bsc#1181161).
- nvme: include admin_q sync with nvme_sync_queues (bsc#1181161).
- nvme: introduce 'Command Aborted By host' status code (bsc#1181161).
- nvme: introduce nvme_is_fabrics to check fabrics cmd (bsc#1181161).
- nvme: introduce nvme_sync_io_queues (bsc#1181161).
- nvme: make fabrics command run on a separate request queue (bsc#1181161).
- nvme: prevent warning triggered by nvme_stop_keep_alive (bsc#1181161).
- nvme: unlink head after removing last namespace (bsc#1181161).
- nvmet: add error log support for fabrics-cmd (bsc#1181161).
- nvmet: add error-log definitions (bsc#1181161).
- video: hyperv_fb: Add ratelimit on error message (bsc#1185725).
Список пакетов
Image SLES15-SP1-Azure-BYOS
Image SLES15-SP1-Azure-HPC-BYOS
Image SLES15-SP1-CHOST-BYOS-Azure
Image SLES15-SP1-CHOST-BYOS-EC2
Image SLES15-SP1-CHOST-BYOS-GCE
Image SLES15-SP1-EC2-HPC-HVM-BYOS
Image SLES15-SP1-EC2-HVM-BYOS
Image SLES15-SP1-GCE-BYOS
Image SLES15-SP1-SAP-Azure
Image SLES15-SP1-SAP-Azure-BYOS
Image SLES15-SP1-SAP-Azure-LI-BYOS-Production
Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production
Image SLES15-SP1-SAP-EC2-HVM
Image SLES15-SP1-SAP-EC2-HVM-BYOS
Image SLES15-SP1-SAP-GCE
Image SLES15-SP1-SAP-GCE-BYOS
Image SLES15-SP1-SAPCAL-Azure
Image SLES15-SP1-SAPCAL-EC2-HVM
Image SLES15-SP1-SAPCAL-GCE
SUSE Enterprise Storage 6
SUSE Linux Enterprise High Availability Extension 15 SP1
SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS
SUSE Linux Enterprise Live Patching 15 SP1
SUSE Linux Enterprise Server 15 SP1-BCL
SUSE Linux Enterprise Server 15 SP1-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP1
SUSE Manager Proxy 4.0
SUSE Manager Retail Branch Server 4.0
SUSE Manager Server 4.0
Ссылки
- Link for SUSE-SU-2021:1912-1
- E-Mail link for SUSE-SU-2021:1912-1
- SUSE Security Ratings
- SUSE Bug 1181161
- SUSE Bug 1183405
- SUSE Bug 1183738
- SUSE Bug 1183947
- SUSE Bug 1184611
- SUSE Bug 1184675
- SUSE Bug 1185642
- SUSE Bug 1185680
- SUSE Bug 1185725
- SUSE Bug 1185859
- SUSE Bug 1185860
- SUSE Bug 1185862
- SUSE Bug 1185863
- SUSE Bug 1185898
- SUSE Bug 1185899
- SUSE Bug 1185901
- SUSE Bug 1185938
Описание
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
Затронутые продукты
Ссылки
- CVE-2020-24586
- SUSE Bug 1185859
- SUSE Bug 1192868
Описание
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.
Затронутые продукты
Ссылки
- CVE-2020-24587
- SUSE Bug 1185859
- SUSE Bug 1185862
- SUSE Bug 1192868
Описание
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients.
Затронутые продукты
Ссылки
- CVE-2020-26139
- SUSE Bug 1186062
- SUSE Bug 1192868
Описание
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
Затронутые продукты
Ссылки
- CVE-2020-26141
- SUSE Bug 1185987
Описание
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
Затронутые продукты
Ссылки
- CVE-2020-26145
- SUSE Bug 1185860
Описание
An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.
Затронутые продукты
Ссылки
- CVE-2020-26147
- SUSE Bug 1233723
Описание
A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.
Затронутые продукты
Ссылки
- CVE-2021-23133
- SUSE Bug 1184675
- SUSE Bug 1185901
Описание
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.
Затронутые продукты
Ссылки
- CVE-2021-23134
- SUSE Bug 1186060
- SUSE Bug 1186061
- SUSE Bug 1220739
Описание
net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.
Затронутые продукты
Ссылки
- CVE-2021-32399
- SUSE Bug 1184611
- SUSE Bug 1185898
- SUSE Bug 1185899
- SUSE Bug 1196174
- SUSE Bug 1200084
- SUSE Bug 1201734
Описание
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
Затронутые продукты
Ссылки
- CVE-2021-33034
- SUSE Bug 1186111
- SUSE Bug 1186285
Описание
kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
Затронутые продукты
Ссылки
- CVE-2021-33200
- SUSE Bug 1186484
- SUSE Bug 1186498
- SUSE Bug 1224878
Описание
The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b ("io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") (v5.7-rc1).
Затронутые продукты
Ссылки
- CVE-2021-3491
- SUSE Bug 1185642
- SUSE Bug 1187090