Описание
Security update for the Linux Kernel
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to obtain full root privileges. (bsc#1188062)
- CVE-2021-3609: Fixed a race condition in the CAN BCM networking protocol which allows for local privilege escalation. (bsc#1187215)
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187601)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187595)
- CVE-2021-34693: Fixed a bug in net/can/bcm.c which could allow local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. (bsc#1187452)
- CVE-2020-36385: Fixed a use-after-free flaw in ucma.c which allows for local privilege escalation. (bsc#1187050)
- CVE-2021-0129: Fixed an improper access control in BlueZ that may have allowed an authenticated user to potentially enable information disclosure via adjacent access. (bsc#1186463)
- CVE-2020-26558: Fixed a flaw in the Bluetooth LE and BR/EDR secure pairing that could permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing. (bsc#1179610)
- CVE-2020-36386: Fixed an out-of-bounds read in hci_extended_inquiry_result_evt. (bsc#1187038)
- CVE-2020-24588: Fixed a bug that could allow an adversary to abuse devices that support receiving non-SSP A-MSDU frames to inject arbitrary network packets. (bsc#1185861)
- CVE-2021-32399: Fixed a race condition in net/bluetooth/hci_request.c for removal of the HCI controller. (bsc#1184611)
- CVE-2021-33034: Fixed an issue in net/bluetooth/hci_event.c where a use-after-free leads to writing an arbitrary value. (bsc#1186111)
- CVE-2020-26139: Fixed a bug that allows an Access Point (AP) to forward EAPOL frames to other clients even though the sender has not yet successfully authenticated. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and made it easier to exploit other vulnerabilities in connected clients. (bsc#1186062)
- CVE-2021-23134: Fixed a use After Free vulnerability in nfc sockets which allows local attackers to elevate their privileges. (bsc#1186060)
- CVE-2020-24586: Fixed a bug that, under the right circumstances, allows to inject arbitrary network packets and/or exfiltrate user data when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP. (bsc#1185859)
- CVE-2020-26141: Fixed a flaw that could allows an adversary to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bsc#1185987)
- CVE-2020-26145: Fixed a bug in the WEP, WPA, WPA2, and WPA3 implementations that could allows an adversary to inject arbitrary network packets. (bsc#1185860)
- CVE-2020-24587: Fixed a bug that allows an adversary to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (bsc#1185862)
- CVE-2020-26147: Fixed a bug in the WEP, WPA, WPA2, and WPA3 implementations that could allows an adversary to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames. (bsc#1185987)
The following non-security bugs were fixed:
- Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes).
- Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185724).
- Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185724).
- hv_netvsc: Add handlers for ethtool get/set msg level (bsc#1175462).
- hv_netvsc: avoid retry on send during shutdown (bsc#1175462).
- hv_netvsc: avoid unnecessary wakeups on subchannel creation (bsc#1175462).
- hv_netvsc: cancel subchannel setup before halting device (bsc#1175462).
- hv_netvsc: change GPAD teardown order on older versions (bsc#1175462).
- hv_netvsc: common detach logic (bsc#1175462).
- hv_netvsc: delay setup of VF device (bsc#1175462).
- hv_netvsc: disable NAPI before channel close (bsc#1175462).
- hv_netvsc: Ensure correct teardown message sequence order (bsc#1175462).
- hv_netvsc: Fix a deadlock by getting rtnl lock earlier in netvsc_probe() (bsc#1175462).
- hv_netvsc: Fix a network regression after ifdown/ifup (bsc#1175462).
- hv_netvsc: fix deadlock on hotplug (bsc#1175462).
- hv_netvsc: Fix error handling in netvsc_attach() (bsc#1175462).
- hv_netvsc: fix error unwind handling if vmbus_open fails (bsc#1175462).
- hv_netvsc: Fix extra rcu_read_unlock in netvsc_recv_callback() (bsc#1175462).
- hv_netvsc: fix handling of fallback to single queue mode (bsc#1175462).
- hv_netvsc: Fix hash key value reset after other ops (bsc#1175462).
- hv_netvsc: Fix IP header checksum for coalesced packets (bsc#1175462).
- hv_netvsc: Fix net device attach on older Windows hosts (bsc#1175462).
- hv_netvsc: fix network namespace issues with VF support (bsc#1175462).
- hv_netvsc: Fix NULL dereference at single queue mode fallback (bsc#1175462).
- hv_netvsc: fix race during initialization (bsc#1175462).
- hv_netvsc: fix race on sub channel creation (bsc#1175462).
- hv_netvsc: fix race that may miss tx queue wakeup (bsc#1175462).
- hv_netvsc: fix schedule in RCU context (bsc#1175462).
- hv_netvsc: Fix the variable sizes in ipsecv2 and rsc offload (bsc#1175462).
- hv_netvsc: Fix tx_table init in rndis_set_subchannel() (bsc#1175462).
- hv_netvsc: Fix unwanted wakeup after tx_disable (bsc#1175462).
- hv_netvsc: Fix unwanted wakeup in netvsc_attach() (bsc#1175462).
- hv_netvsc: flag software created hash value (bsc#1175462).
- hv_netvsc: netvsc_teardown_gpadl() split (bsc#1175462).
- hv_netvsc: only wake transmit queue if link is up (bsc#1175462).
- hv_netvsc: pass netvsc_device to rndis halt (bsc#1175462).
- hv_netvsc: preserve hw_features on mtu/channels/ringparam changes (bsc#1175462).
- hv_netvsc: Refactor assignments of struct netvsc_device_info (bsc#1175462).
- hv_netvsc: set master device (bsc#1175462).
- hv_netvsc: Set tx_table to equal weight after subchannels open (bsc#1175462).
- hv_netvsc: Simplify num_chn checking in rndis_filter_device_add() (bsc#1175462).
- hv_netvsc: Split netvsc_revoke_buf() and netvsc_teardown_gpadl() (bsc#1175462).
- hv_netvsc: split sub-channel setup into async and sync (bsc#1175462).
- hv_netvsc: typo in NDIS RSS parameters structure (bsc#1175462).
- hv_netvsc: use RCU to fix concurrent rx and queue changes (bsc#1175462).
- hv_netvsc: use reciprocal divide to speed up percent calculation (bsc#1175462).
- hv_netvsc: Use Windows version instead of NVSP version on GPAD teardown (bsc#1175462).
- kgraft: truncate the output from state_show() sysfs attr (bsc#1186235).
- mm, memory_hotplug: do not clear numa_node association after hot_remove (bsc#1115026).
- mm: consider __HW_POISON pages when allocating from pcp lists (bsc#1187388).
- scsi: storvsc: Enable scatterlist entry lengths > 4Kbytes (bsc#1187193).
- video: hyperv_fb: Add ratelimit on error message (bsc#1185724).
Список пакетов
HPE Helion OpenStack 8
SUSE Linux Enterprise High Availability Extension 12 SP3
SUSE Linux Enterprise Server 12 SP3-BCL
SUSE Linux Enterprise Server 12 SP3-LTSS
SUSE Linux Enterprise Server for SAP Applications 12 SP3
SUSE OpenStack Cloud 8
SUSE OpenStack Cloud Crowbar 8
Ссылки
- Link for SUSE-SU-2021:2451-1
- E-Mail link for SUSE-SU-2021:2451-1
- SUSE Security Ratings
- SUSE Bug 1115026
- SUSE Bug 1175462
- SUSE Bug 1179610
- SUSE Bug 1184611
- SUSE Bug 1185724
- SUSE Bug 1185859
- SUSE Bug 1185860
- SUSE Bug 1185861
- SUSE Bug 1185862
- SUSE Bug 1185863
- SUSE Bug 1185898
- SUSE Bug 1185987
- SUSE Bug 1186060
- SUSE Bug 1186062
- SUSE Bug 1186111
- SUSE Bug 1186235
- SUSE Bug 1186390
Описание
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
Затронутые продукты
Ссылки
- CVE-2020-24586
- SUSE Bug 1185859
- SUSE Bug 1192868
Описание
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.
Затронутые продукты
Ссылки
- CVE-2020-24587
- SUSE Bug 1185859
- SUSE Bug 1185862
- SUSE Bug 1192868
Описание
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets.
Затронутые продукты
Ссылки
- CVE-2020-24588
- SUSE Bug 1185861
- SUSE Bug 1192868
- SUSE Bug 1199701
Описание
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients.
Затронутые продукты
Ссылки
- CVE-2020-26139
- SUSE Bug 1186062
- SUSE Bug 1192868
Описание
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
Затронутые продукты
Ссылки
- CVE-2020-26141
- SUSE Bug 1185987
Описание
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
Затронутые продукты
Ссылки
- CVE-2020-26145
- SUSE Bug 1185860
Описание
An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.
Затронутые продукты
Ссылки
- CVE-2020-26147
- SUSE Bug 1233723
Описание
Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
Затронутые продукты
Ссылки
- CVE-2020-26558
- SUSE Bug 1179610
- SUSE Bug 1186463
Описание
An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka CID-f5449e74802c.
Затронутые продукты
Ссылки
- CVE-2020-36385
- SUSE Bug 1187050
- SUSE Bug 1187052
- SUSE Bug 1189302
- SUSE Bug 1196174
- SUSE Bug 1196810
- SUSE Bug 1196914
- SUSE Bug 1200084
- SUSE Bug 1201734
Описание
An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf.
Затронутые продукты
Ссылки
- CVE-2020-36386
- SUSE Bug 1187038
- SUSE Bug 1192868
Описание
Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.
Затронутые продукты
Ссылки
- CVE-2021-0129
- SUSE Bug 1186463
Описание
In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-173843328References: Upstream kernel
Затронутые продукты
Ссылки
- CVE-2021-0512
- SUSE Bug 1187595
- SUSE Bug 1187597
Описание
In pfkey_dump of af_key.c, there is a possible out-of-bounds read due to a missing bounds check. This could lead to local information disclosure in the kernel with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-110373476
Затронутые продукты
Ссылки
- CVE-2021-0605
- SUSE Bug 1187601
- SUSE Bug 1187687
- SUSE Bug 1188381
Описание
A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space
Затронутые продукты
Ссылки
- CVE-2021-22555
- SUSE Bug 1188116
- SUSE Bug 1188117
- SUSE Bug 1188411
Описание
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.
Затронутые продукты
Ссылки
- CVE-2021-23134
- SUSE Bug 1186060
- SUSE Bug 1186061
- SUSE Bug 1220739
Описание
net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.
Затронутые продукты
Ссылки
- CVE-2021-32399
- SUSE Bug 1184611
- SUSE Bug 1185898
- SUSE Bug 1185899
- SUSE Bug 1196174
- SUSE Bug 1200084
- SUSE Bug 1201734
Описание
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
Затронутые продукты
Ссылки
- CVE-2021-33034
- SUSE Bug 1186111
- SUSE Bug 1186285
Описание
fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05.
Затронутые продукты
Ссылки
- CVE-2021-33909
- SUSE Bug 1188062
- SUSE Bug 1188063
- SUSE Bug 1188257
- SUSE Bug 1189302
- SUSE Bug 1190859
Описание
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
Затронутые продукты
Ссылки
- CVE-2021-34693
- SUSE Bug 1187452
- SUSE Bug 1192868
Описание
.A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root.
Затронутые продукты
Ссылки
- CVE-2021-3609
- SUSE Bug 1187215
- SUSE Bug 1188323
- SUSE Bug 1188720
- SUSE Bug 1190276
- SUSE Bug 1196810