CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
38.6%
The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:0543-1 advisory.
The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85. (CVE-2020-28097)
A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 (CVE-2021-22600)
In gadget_dev_desc_UDC_show of configfs.c, there is a possible disclosure of kernel heap memory due to a race condition. This could lead to local information disclosure with System execution privileges needed.
User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
A-160822094References: Upstream kernel (CVE-2021-39648)
In ufshcd_eh_device_reset_handler of ufshcd.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed.
User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
A-194696049References: Upstream kernel (CVE-2021-39657)
In various setup methods of the USB gadget subsystem, there is a possible out of bounds write due to an incorrect flag check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-210292376References: Upstream kernel (CVE-2021-39685)
pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 has a refcount leak.
(CVE-2021-45095)
A flaw was found in the Linux kernel. A null pointer dereference in bond_ipsec_add_sa() may lead to local denial of service. (CVE-2022-0286)
A random memory access flaw was found in the Linux kernel’s GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system. (CVE-2022-0330)
kernel: failing usercopy allows for use-after-free exploitation (CVE-2022-22942)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# SUSE update advisory SUSE-SU-2022:0543-1. The text itself
# is copyright (C) SUSE.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(158225);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/13");
script_cve_id(
"CVE-2020-28097",
"CVE-2021-22600",
"CVE-2021-39648",
"CVE-2021-39657",
"CVE-2021-39685",
"CVE-2021-45095",
"CVE-2022-0286",
"CVE-2022-0330",
"CVE-2022-22942"
);
script_xref(name:"SuSE", value:"SUSE-SU-2022:0543-1");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/02");
script_name(english:"SUSE SLES15 Security Update : the Linux RT Kernel (SUSE-SU-2022:0543-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in
the SUSE-SU-2022:0543-1 advisory.
- The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a
vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85. (CVE-2020-28097)
- A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through
crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected
versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 (CVE-2021-22600)
- In gadget_dev_desc_UDC_show of configfs.c, there is a possible disclosure of kernel heap memory due to a
race condition. This could lead to local information disclosure with System execution privileges needed.
User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
A-160822094References: Upstream kernel (CVE-2021-39648)
- In ufshcd_eh_device_reset_handler of ufshcd.c, there is a possible out of bounds read due to a missing
bounds check. This could lead to local information disclosure with System execution privileges needed.
User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
A-194696049References: Upstream kernel (CVE-2021-39657)
- In various setup methods of the USB gadget subsystem, there is a possible out of bounds write due to an
incorrect flag check. This could lead to local escalation of privilege with no additional execution
privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android
kernelAndroid ID: A-210292376References: Upstream kernel (CVE-2021-39685)
- pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 has a refcount leak.
(CVE-2021-45095)
- A flaw was found in the Linux kernel. A null pointer dereference in bond_ipsec_add_sa() may lead to local
denial of service. (CVE-2022-0286)
- A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the
way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or
escalate their privileges on the system. (CVE-2022-0330)
- kernel: failing usercopy allows for use-after-free exploitation (CVE-2022-22942)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1154353");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1154488");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1156395");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1160634");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1176447");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1177599");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1183405");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1185377");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1187428");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1187723");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1188605");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1191881");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1193096");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1193506");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1193802");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1193861");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1193864");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1193867");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1194048");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1194227");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1194291");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1194880");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1195009");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1195065");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1195073");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1195183");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1195184");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1195254");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1195267");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1195293");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1195371");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1195476");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1195477");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1195478");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1195479");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1195480");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1195481");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1195482");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-28097");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-22600");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-39648");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-39657");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-39685");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-45095");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-0286");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-0330");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-22942");
# https://lists.suse.com/pipermail/sle-security-updates/2022-February/010282.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?692365a1");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-39685");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-22942");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'vmwgfx Driver File Descriptor Handling Priv Esc');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/02/16");
script_set_attribute(attribute:"patch_publication_date", value:"2022/02/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/22");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dlm-kmp-rt");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:gfs2-kmp-rt");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-devel-rt");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-rt");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-rt-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-source-rt");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms-rt");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item("Host/SuSE/release");
if (isnull(os_release) || os_release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
var os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15', 'SUSE (' + os_ver + ')');
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);
var service_pack = get_kb_item("Host/SuSE/patchlevel");
if (isnull(service_pack)) service_pack = "0";
if (os_ver == "SLES15" && (! preg(pattern:"^(3)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES15 SP3", os_ver + " SP" + service_pack);
var pkgs = [
{'reference':'cluster-md-kmp-rt-5.3.18-150300.76.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},
{'reference':'dlm-kmp-rt-5.3.18-150300.76.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},
{'reference':'gfs2-kmp-rt-5.3.18-150300.76.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},
{'reference':'kernel-devel-rt-5.3.18-150300.76.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},
{'reference':'kernel-rt-5.3.18-150300.76.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},
{'reference':'kernel-rt-devel-5.3.18-150300.76.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},
{'reference':'kernel-rt_debug-devel-5.3.18-150300.76.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},
{'reference':'kernel-source-rt-5.3.18-150300.76.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},
{'reference':'kernel-syms-rt-5.3.18-150300.76.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},
{'reference':'ocfs2-kmp-rt-5.3.18-150300.76.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']}
];
var ltss_caveat_required = FALSE;
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var exists_check = NULL;
var rpm_spec_vers_cmp = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (reference && _release) {
if (exists_check) {
var check_flag = 0;
foreach var check (exists_check) {
if (!rpm_exists(release:_release, rpm:check)) continue;
check_flag++;
}
if (!check_flag) continue;
}
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-rt / dlm-kmp-rt / gfs2-kmp-rt / kernel-devel-rt / etc');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28097
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22600
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39648
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39657
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39685
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45095
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0286
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0330
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22942
www.nessus.org/u?692365a1
bugzilla.suse.com/1154353
bugzilla.suse.com/1154488
bugzilla.suse.com/1156395
bugzilla.suse.com/1160634
bugzilla.suse.com/1176447
bugzilla.suse.com/1177599
bugzilla.suse.com/1183405
bugzilla.suse.com/1185377
bugzilla.suse.com/1187428
bugzilla.suse.com/1187723
bugzilla.suse.com/1188605
bugzilla.suse.com/1191881
bugzilla.suse.com/1193096
bugzilla.suse.com/1193506
bugzilla.suse.com/1193802
bugzilla.suse.com/1193861
bugzilla.suse.com/1193864
bugzilla.suse.com/1193867
bugzilla.suse.com/1194048
bugzilla.suse.com/1194227
bugzilla.suse.com/1194291
bugzilla.suse.com/1194880
bugzilla.suse.com/1195009
bugzilla.suse.com/1195065
bugzilla.suse.com/1195073
bugzilla.suse.com/1195183
bugzilla.suse.com/1195184
bugzilla.suse.com/1195254
bugzilla.suse.com/1195267
bugzilla.suse.com/1195293
bugzilla.suse.com/1195371
bugzilla.suse.com/1195476
bugzilla.suse.com/1195477
bugzilla.suse.com/1195478
bugzilla.suse.com/1195479
bugzilla.suse.com/1195480
bugzilla.suse.com/1195481
bugzilla.suse.com/1195482
www.suse.com/security/cve/CVE-2020-28097
www.suse.com/security/cve/CVE-2021-22600
www.suse.com/security/cve/CVE-2021-39648
www.suse.com/security/cve/CVE-2021-39657
www.suse.com/security/cve/CVE-2021-39685
www.suse.com/security/cve/CVE-2021-45095
www.suse.com/security/cve/CVE-2022-0286
www.suse.com/security/cve/CVE-2022-0330
www.suse.com/security/cve/CVE-2022-22942
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
38.6%