The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0187-1 advisory.
Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards. (CVE-2021-20199)
An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1.
When specifying the plugin to load in the ‘type’ field in the network configuration, it is possible to use special elements such as …/ separators to reference binaries elsewhere on the system. This flaw allows an attacker to execute other existing binaries other than the cni plugins/types, such as ‘reboot’. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
(CVE-2021-20206)
A flaw was found in podman. The podman machine
function (used to create and manage Podman virtual machine containing a Podman process) spawns a gvproxy
process on the host system. The gvproxy
API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host’s firewall, an attacker can potentially use the gvproxy
API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host’s services by forwarding all ports to the VM. (CVE-2021-4024)
The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both manifests and layers fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both manifests and layers fields or manifests and config fields if they are unable to update to version 1.0.1 of the spec. (CVE-2021-41190)
A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions.
A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non- empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
(CVE-2022-27649)
An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container. (CVE-2022-2989)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# SUSE update advisory SUSE-SU-2023:0187-1. The text itself
# is copyright (C) SUSE.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(170750);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/13");
script_cve_id(
"CVE-2021-4024",
"CVE-2021-20199",
"CVE-2021-20206",
"CVE-2021-41190",
"CVE-2022-2989",
"CVE-2022-27649"
);
script_xref(name:"SuSE", value:"SUSE-SU-2023:0187-1");
script_name(english:"SUSE SLES15 / openSUSE 15 Security Update : podman (SUSE-SU-2023:0187-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple
vulnerabilities as referenced in the SUSE-SU-2023:0187-1 advisory.
- Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including
from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by
default and do not require authentication. This issue affects Podman 1.8.0 onwards. (CVE-2021-20199)
- An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1.
When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use
special elements such as ../ separators to reference binaries elsewhere on the system. This flaw allows
an attacker to execute other existing binaries other than the cni plugins/types, such as 'reboot'. The
highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
(CVE-2021-20206)
- A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual
machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is
accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an
attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making
private services on the VM accessible to the network. This issue could be also used to interrupt the
host's services by forwarding all ports to the VM. (CVE-2021-4024)
- The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution
of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone
was used to determine the type of document during push and pull operations. Documents that contain both
manifests and layers fields could be interpreted as either a manifest or an index in the absence of an
accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a
client may interpret the resulting content differently. The OCI Distribution Specification has been
updated to require that a mediaType value present in a manifest or index match the Content-Type header
used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type
header and reject an ambiguous document that contains both manifests and layers fields or manifests
and config fields if they are unable to update to version 1.0.1 of the spec. (CVE-2021-41190)
- A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions.
A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-
empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with
inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
(CVE-2022-27649)
- An incorrect handling of the supplementary groups in the Podman container engine might lead to the
sensitive information disclosure or possible data modification if an attacker has direct access to the
affected container where supplementary groups are used to set access permissions and is able to execute a
binary code in that container. (CVE-2022-2989)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1181640");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1181961");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1193166");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1193273");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1197672");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1199790");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1202809");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-20199");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-20206");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-4024");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-41190");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-27649");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-2989");
# https://lists.suse.com/pipermail/sle-security-updates/2023-January/013557.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d8ba7d5a");
script_set_attribute(attribute:"solution", value:
"Update the affected podman, podman-cni-config, podman-docker and / or podman-remote packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-20206");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-27649");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/02/02");
script_set_attribute(attribute:"patch_publication_date", value:"2023/01/27");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/28");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:podman");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:podman-cni-config");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:podman-docker");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:podman-remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item("Host/SuSE/release");
if (isnull(os_release) || os_release !~ "^(SLED|SLES|SUSE)") audit(AUDIT_OS_NOT, "SUSE / openSUSE");
var os_ver = pregmatch(pattern: "^(SLE(S|D)(?:_SAP)?\d+|SUSE([\d.]+))", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE / openSUSE');
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES15|SLES_SAP15|SUSE15\.4)$", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15 / SLES_SAP15 / openSUSE 15', 'SUSE / openSUSE (' + os_ver + ')');
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE / openSUSE (' + os_ver + ')', cpu);
var service_pack = get_kb_item("Host/SuSE/patchlevel");
if (isnull(service_pack)) service_pack = "0";
if (os_ver == "SLES15" && (! preg(pattern:"^(4)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES15 SP4", os_ver + " SP" + service_pack);
if (os_ver == "SLES_SAP15" && (! preg(pattern:"^(4)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES_SAP15 SP4", os_ver + " SP" + service_pack);
var pkgs = [
{'reference':'podman-4.3.1-150400.4.11.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'podman-cni-config-4.3.1-150400.4.11.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'podman-docker-4.3.1-150400.4.11.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'podman-remote-4.3.1-150400.4.11.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'podman-4.3.1-150400.4.11.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-containers-release-15.4', 'sles-release-15.4']},
{'reference':'podman-cni-config-4.3.1-150400.4.11.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-containers-release-15.4', 'sles-release-15.4']},
{'reference':'podman-docker-4.3.1-150400.4.11.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-containers-release-15.4', 'sles-release-15.4']},
{'reference':'podman-remote-4.3.1-150400.4.11.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-containers-release-15.4', 'sles-release-15.4']},
{'reference':'podman-4.3.1-150400.4.11.1', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},
{'reference':'podman-cni-config-4.3.1-150400.4.11.1', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},
{'reference':'podman-docker-4.3.1-150400.4.11.1', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},
{'reference':'podman-remote-4.3.1-150400.4.11.1', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']}
];
var ltss_caveat_required = FALSE;
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var exists_check = NULL;
var rpm_spec_vers_cmp = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (reference && _release) {
if (exists_check) {
var check_flag = 0;
foreach var check (exists_check) {
if (!rpm_exists(release:_release, rpm:check)) continue;
check_flag++;
}
if (!check_flag) continue;
}
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'podman / podman-cni-config / podman-docker / podman-remote');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20199
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20206
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4024
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41190
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27649
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2989
www.nessus.org/u?d8ba7d5a
bugzilla.suse.com/1181640
bugzilla.suse.com/1181961
bugzilla.suse.com/1193166
bugzilla.suse.com/1193273
bugzilla.suse.com/1197672
bugzilla.suse.com/1199790
bugzilla.suse.com/1202809
www.suse.com/security/cve/CVE-2021-20199
www.suse.com/security/cve/CVE-2021-20206
www.suse.com/security/cve/CVE-2021-4024
www.suse.com/security/cve/CVE-2021-41190
www.suse.com/security/cve/CVE-2022-27649
www.suse.com/security/cve/CVE-2022-2989