SUSE SLES15 Security Update : kernel (Live Patch 15 for SLE 15 SP2) (SUSE-SU-2021:2577-1) - Nessus

High   Plugin ID: 152167

---

This page contains detailed information about the SUSE SLES15 Security Update : kernel (Live Patch 15 for SLE 15 SP2) (SUSE-SU-2021:2577-1) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 152167
Name: SUSE SLES15 Security Update : kernel (Live Patch 15 for SLE 15 SP2) (SUSE-SU-2021:2577-1)
Filename: suse_SU-2021-2577-1.nasl
Vulnerability Published: 2021-03-07
This Plugin Published: 2021-07-31
Last Modification Time: 2022-01-20
Plugin Version: 1.4
Plugin Type: local
Plugin Family: SuSE Local Security Checks
Dependencies: linux_alt_patch_detect.nasl, ssh_get_info.nasl
Required KB Items [?]: Host/cpu, Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list

Vulnerability Information

---

Severity: High
Vulnerability Published: 2021-03-07
Patch Published: 2021-07-30
CVE [?]: CVE-2020-36322, CVE-2020-36385, CVE-2021-3444, CVE-2021-22555, CVE-2021-23133, CVE-2021-27363, CVE-2021-27364, CVE-2021-27365, CVE-2021-28660, CVE-2021-28688, CVE-2021-29154, CVE-2021-32399, CVE-2021-33034, CVE-2021-33909
CPE [?]: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:kernel-livepatch-5_3_18-24_53_4-default
Exploited by Malware: True

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2577-1 advisory.

- An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950. (CVE-2020-36322)

- An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after- free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka CID-f5449e74802c. (CVE-2020-36385)

- A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space (CVE-2021-22555)

- A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)

- An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)

- An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)

- An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message. (CVE-2021-27365)

- rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6 allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases, CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may have situations in which a drivers/staging issue is relevant to their own customer base. (CVE-2021-28660)

- The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable. XSA-365 was classified to affect versions back to at least 3.11. (CVE-2021-28688)

- BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)

- net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)

- In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

- fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)

- The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 (bpf: Fix truncation handling for mod32 dst reg wrt zero) and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. (CVE-2021-3444)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel-livepatch-5_3_18-24_53_4-default package.

Public Exploits

---

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the SUSE SLES15 Security Update : kernel (Live Patch 15 for SLE 15 SP2) (SUSE-SU-2021:2577-1) vulnerability:

1. Metasploit: exploit/linux/local/netfilter_xtables_heap_oob_write_priv_esc
   [Netfilter x_tables Heap OOB Write Privilege Escalation]
2. Exploit-DB: exploits/linux/local/50135.c
   [EDB-50135: Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation]
3. GitHub: https://github.com/JaskaranNarula/Host_Errata_Info
   [CVE-2020-36322]
4. GitHub: https://github.com/JamesGeeee/CVE-2020-36385
   [CVE-2020-36385: PoC for exploiting CVE-2020-36385]
5. GitHub: https://github.com/PwnCast/CVE-2020-36385
   [CVE-2020-36385: PoC for exploiting CVE-2020-36385 : An issue was discovered in the Linux kernel ...]
6. GitHub: https://github.com/Wi1L-Y/News
   [CVE-2021-3444]
7. GitHub: https://github.com/Al1ex/LinuxEelvation
   [CVE-2021-22555]
8. GitHub: https://github.com/ChoKyuWon/exploit_articles
   [CVE-2021-22555]
9. GitHub: https://github.com/EGI-Federation/SVG-advisories
   [CVE-2021-22555]
10. GitHub: https://github.com/JoneyJunior/cve-2021-22555
    [CVE-2021-22555]
11. GitHub: https://github.com/JustYoomoon/CVE-2021-22555-Exploit
    [CVE-2021-22555: CVE-2021-22555 Exploit]
12. GitHub: https://github.com/Metarget/awesome-cloud-native-security
    [CVE-2021-22555]
13. GitHub: https://github.com/Metarget/metarget
    [CVE-2021-22555]
14. GitHub: https://github.com/Mr-xn/Penetration_Testing_POC
    [CVE-2021-22555]
15. GitHub: https://github.com/YunDingLab/struct_sanitizer
    [CVE-2021-22555]
16. GitHub: https://github.com/bcoles/kasld
    [CVE-2021-22555]
17. GitHub: https://github.com/bcoles/kernel-exploits
    [CVE-2021-22555]
18. GitHub: https://github.com/bsauce/kernel-exploit-factory
    [CVE-2021-22555]
19. GitHub: https://github.com/bsauce/kernel-security-learning
    [CVE-2021-22555]
20. GitHub: https://github.com/cgwalters/container-cve-2021-22555
    [CVE-2021-22555]
21. GitHub: https://github.com/cpuu/LinuxKernelCVE
    [CVE-2021-22555]
22. GitHub: https://github.com/ctrsploit/ctrsploit
    [CVE-2021-22555]
23. GitHub: https://github.com/daletoniris/CVE-2021-22555-esc-priv
    [CVE-2021-22555]
24. GitHub: https://github.com/hacking-kubernetes/hacking-kubernetes.info
    [CVE-2021-22555]
25. GitHub: https://github.com/joydo/CVE-Writeups
    [CVE-2021-22555]
26. GitHub: https://github.com/reni2study/Cloud-Native-Security2
    [CVE-2021-22555]
27. GitHub: https://github.com/ssst0n3/ctrsploit_archived
    [CVE-2021-22555]
28. GitHub: https://github.com/veritas501/CVE-2021-22555-PipeVersion
    [CVE-2021-22555: CVE-2021-22555 exploit rewritten with pipe primitive]
29. GitHub: https://github.com/xairy/linux-kernel-exploitation
    [CVE-2021-22555]
30. GitHub: https://github.com/xyjl-ly/CVE-2021-22555-Exploit
    [CVE-2021-22555]
31. GitHub: https://github.com/aaronxie55/Presentation2_Markdown
    [CVE-2021-27363]
32. GitHub: https://github.com/bollwarm/SecToolSet
    [CVE-2021-27363]
33. GitHub: https://github.com/c4pt000/kernel-5.11.6-expSEHDsec-HAXM-cgroup-virtio-nvidia-amd-kaliwifi
    [CVE-2021-27363]
34. GitHub: https://github.com/xairy/linux-kernel-exploitation
    [CVE-2021-27363]
35. GitHub: https://github.com/aaronxie55/Presentation2_Markdown
    [CVE-2021-27364]
36. GitHub: https://github.com/bollwarm/SecToolSet
    [CVE-2021-27364]
37. GitHub: https://github.com/c4pt000/kernel-5.11.6-expSEHDsec-HAXM-cgroup-virtio-nvidia-amd-kaliwifi
    [CVE-2021-27364]
38. GitHub: https://github.com/xairy/linux-kernel-exploitation
    [CVE-2021-27364]
39. GitHub: https://github.com/EGI-Federation/SVG-advisories
    [CVE-2021-27365]
40. GitHub: https://github.com/aaronxie55/Presentation2_Markdown
    [CVE-2021-27365]
41. GitHub: https://github.com/bollwarm/SecToolSet
    [CVE-2021-27365]
42. GitHub: https://github.com/c4pt000/kernel-5.11.6-expSEHDsec-HAXM-cgroup-virtio-nvidia-amd-kaliwifi
    [CVE-2021-27365]
43. GitHub: https://github.com/gipi/cve-cemetery
    [CVE-2021-27365]
44. GitHub: https://github.com/xairy/linux-kernel-exploitation
    [CVE-2021-27365]
45. GitHub: https://github.com/nanopathi/linux-4.19.72_CVE-2021-32399
    [CVE-2021-32399]
46. GitHub: https://github.com/Trinadh465/device_renesas_kernel_AOSP10_r33_CVE-2021-33034
    [CVE-2021-33034]
47. GitHub: https://github.com/artsking/linux-4.1.15_CVE-2021-33034_withPatch
    [CVE-2021-33034]
48. GitHub: https://github.com/AlAIAL90/CVE-2021-33909
    [CVE-2021-33909: PoC for exploiting CVE-2021-33909 : fs/seq_file.c in the Linux kernel 3.16 through ...]
49. GitHub: https://github.com/AmIAHuman/CVE-2021-33909
    [CVE-2021-33909: Sequoia exploit (7/20/21)]
50. GitHub: https://github.com/ChoKyuWon/exploit_articles
    [CVE-2021-33909]
51. GitHub: https://github.com/EGI-Federation/SVG-advisories
    [CVE-2021-33909]
52. GitHub: https://github.com/H0j3n/EzpzCheatSheet
    [CVE-2021-33909]
53. GitHub: https://github.com/Mr-xn/Penetration_Testing_POC
    [CVE-2021-33909]
54. GitHub: https://github.com/gitezri/LinuxVulnerabilities
    [CVE-2021-33909]
55. GitHub: https://github.com/hac425xxx/heap-exploitation-in-real-world
    [CVE-2021-33909]
56. GitHub: https://github.com/ikramimamoglu/AmIAHuman-CVE-2021-33909
    [CVE-2021-33909]
57. GitHub: https://github.com/joydo/CVE-Writeups
    [CVE-2021-33909]
58. GitHub: https://github.com/kaosagnt/ansible-everyday
    [CVE-2021-33909]
59. GitHub: https://github.com/sfowl/deep-directory
    [CVE-2021-33909]
60. GitHub: https://github.com/xairy/linux-kernel-exploitation
    [CVE-2021-33909]
61. GitHub: https://github.com/baerwolf/cve-2021-33909
    [CVE-2021-33909: This module fixes an issue in the kernels filesystem layer (CVE-2021-33909) by ...]
62. GitHub: https://github.com/bbinfosec43/CVE-2021-33909
    [CVE-2021-33909: Exploit code for CVE-2021-33909,Just a dump of removed https://github.com/AmIAHuman/ ...]
63. GitHub: https://github.com/ChrisTheCoolHut/CVE-2021-33909
    [CVE-2021-33909: CVE-2021-33909 Sequoia]
64. GitHub: https://github.com/Liang2580/CVE-2021-33909
    [CVE-2021-33909: Sequoia exploit (7/20/21)]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS Score Source [?]: CVE-2021-33909
CVSS V2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C

CVSS Base Score:	7.2 (High)
Impact Subscore:	10.0
Exploitability Subscore:	3.9
CVSS Temporal Score:	6.3 (Medium)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	6.3 (Medium)

CVSS V3 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CVSS Base Score:	7.8 (High)
Impact Subscore:	5.9
Exploitability Subscore:	1.8
CVSS Temporal Score:	7.5 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	7.5 (High)

STIG Severity [?]: II
STIG Risk Rating: Medium

Go back to menu.

Plugin Source

---

This is the suse_SU-2021-2577-1.nasl nessus plugin source code. This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
#
# The package checks in this plugin were extracted from
# SUSE update advisory SUSE-SU-2021:2577-1. The text itself
# is copyright (C) SUSE.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(152167);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/01/20");

  script_cve_id(
    "CVE-2020-36322",
    "CVE-2020-36385",
    "CVE-2021-3444",
    "CVE-2021-22555",
    "CVE-2021-23133",
    "CVE-2021-27363",
    "CVE-2021-27364",
    "CVE-2021-27365",
    "CVE-2021-28660",
    "CVE-2021-28688",
    "CVE-2021-29154",
    "CVE-2021-32399",
    "CVE-2021-33034",
    "CVE-2021-33909"
  );
  script_xref(name:"SuSE", value:"SUSE-SU-2021:2577-1");
  script_xref(name:"IAVA", value:"2021-A-0350");

  script_name(english:"SUSE SLES15 Security Update : kernel (Live Patch 15 for SLE 15 SP2) (SUSE-SU-2021:2577-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SLES15 host has a package installed that is affected by multiple vulnerabilities as referenced in
the SUSE-SU-2021:2577-1 advisory.

  - An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka
    CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system
    crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as
    CVE-2021-28950. (CVE-2020-36322)

  - An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-
    free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is
    called, aka CID-f5449e74802c. (CVE-2020-36385)

  - A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.
    This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name
    space (CVE-2021-22555)

  - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel
    privilege escalation from the context of a network service or an unprivileged process. If
    sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the
    auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network
    service privileges to escalate to root or from the context of an unprivileged user directly if a
    BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)

  - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine
    the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI
    subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at
    /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in
    drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the
    pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)

  - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is
    adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)

  - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have
    appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can
    send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a
    Netlink message. (CVE-2021-27365)

  - rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6
    allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases,
    CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may
    have situations in which a drivers/staging issue is relevant to their own customer base. (CVE-2021-28660)

  - The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use
    uninitialized or stale values. This initialization went too far and may under certain conditions also
    overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking
    persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died,
    leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable.
    XSA-365 was classified to affect versions back to at least 3.11. (CVE-2021-28688)

  - BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements,
    allowing them to execute arbitrary code within the kernel context. This affects
    arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI
    controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an
    hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer
    allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an
    unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)

  - The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when
    the source register was known to be 0. A local attacker with the ability to load bpf programs could use
    this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and
    possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in
    the upstream kernel in commit 9b00f1b78809 (bpf: Fix truncation handling for mod32 dst reg wrt zero) and
    in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. (CVE-2021-3444)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1182717");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1183120");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1183491");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1183658");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1184171");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1184710");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1184952");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1185847");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1185899");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1185901");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1186285");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1187052");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1188117");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1188257");
  # https://lists.suse.com/pipermail/sle-security-updates/2021-July/009234.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bb668967");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-36322");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-36385");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-22555");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-23133");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-27363");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-27364");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-27365");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-28660");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-28688");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-29154");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-32399");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-33034");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-33909");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-3444");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel-livepatch-5_3_18-24_53_4-default package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-33909");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Netfilter x_tables Heap OOB Write Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/03/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/07/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/07/31");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-livepatch-5_3_18-24_53_4-default");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"SuSE Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include('audit.inc');
include('global_settings.inc');
include('misc_func.inc');
include('rpm.inc');
include('ksplice.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
var os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15', 'SUSE ' + os_ver);

if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);

var sp = get_kb_item("Host/SuSE/patchlevel");
if (isnull(sp)) sp = "0";
if (os_ver == "SLES15" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP2", os_ver + " SP" + sp);

var pkgs = [
    {'reference':'kernel-livepatch-5_3_18-24_53_4-default-2-2.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-live-patching-release-15.2'}
];

var ltss_caveat_required = FALSE;
var flag = 0;
foreach package_array ( pkgs ) {
  var reference = NULL;
  var release = NULL;
  var sp = NULL;
  var cpu = NULL;
  var exists_check = NULL;
  var rpm_spec_vers_cmp = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (reference && release) {
    if (exists_check) {
      if (!rpm_exists(release:release, rpm:exists_check)) continue;
      if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;
    }
    if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-livepatch-5_3_18-24_53_4-default');
}

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/suse_SU-2021-2577-1.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\suse_SU-2021-2577-1.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/suse_SU-2021-2577-1.nasl

Go back to menu.

How to Run

---

Here is how to run the SUSE SLES15 Security Update : kernel (Live Patch 15 for SLE 15 SP2) (SUSE-SU-2021:2577-1) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select SuSE Local Security Checks plugin family.
6. On the right side table select SUSE SLES15 Security Update : kernel (Live Patch 15 for SLE 15 SP2) (SUSE-SU-2021:2577-1) plugin ID 152167.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl suse_SU-2021-2577-1.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a suse_SU-2021-2577-1.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - suse_SU-2021-2577-1.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state suse_SU-2021-2577-1.nasl -t <IP/HOST>

Go back to menu.

References

---

IAVA | Information Assurance Vulnerability Alert:

• 2021-A-0350

SuSE Security Advisory:

• SUSE-SU-2021:2577-1

See also:

• https://www.tenable.com/plugins/nessus/152167
• https://bugzilla.suse.com/1182717
• https://bugzilla.suse.com/1183120
• https://bugzilla.suse.com/1183491
• https://bugzilla.suse.com/1183658
• https://bugzilla.suse.com/1184171
• https://bugzilla.suse.com/1184710
• https://bugzilla.suse.com/1184952
• https://bugzilla.suse.com/1185847
• https://bugzilla.suse.com/1185899
• https://bugzilla.suse.com/1185901
• https://bugzilla.suse.com/1186285
• https://bugzilla.suse.com/1187052
• https://bugzilla.suse.com/1188117
• https://bugzilla.suse.com/1188257
• https://www.suse.com/security/cve/CVE-2020-36322
• https://www.suse.com/security/cve/CVE-2020-36385
• https://www.suse.com/security/cve/CVE-2021-3444
• https://www.suse.com/security/cve/CVE-2021-22555
• https://www.suse.com/security/cve/CVE-2021-23133
• https://www.suse.com/security/cve/CVE-2021-27363
• https://www.suse.com/security/cve/CVE-2021-27364
• https://www.suse.com/security/cve/CVE-2021-27365
• https://www.suse.com/security/cve/CVE-2021-28660
• https://www.suse.com/security/cve/CVE-2021-28688
• https://www.suse.com/security/cve/CVE-2021-29154
• https://www.suse.com/security/cve/CVE-2021-32399
• https://www.suse.com/security/cve/CVE-2021-33034
• https://www.suse.com/security/cve/CVE-2021-33909
• http://www.nessus.org/u?bb668967
• https://vulners.com/nessus/SUSE_SU-2021-2577-1.NASL

Similar and related Nessus plugins:

• 151997 - SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:2438-1)
• 151998 - SUSE SLES12 Security Update : kernel (SUSE-SU-2021:2422-1)
• 152003 - RHEL 8 : Red Hat Virtualization Host security and bug fix update [ovirt-4.4.7] (Important) (RHSA-2021:2736)
• 152016 - Photon OS 2.0: Linux PHSA-2021-2.0-0370
• 152017 - openSUSE 15 Security Update : kernel (openSUSE-SU-2021:1076-1)
• 152018 - Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2021-9372)
• 152045 - OracleVM 3.4 : kernel-uek (OVMSA-2021-0023)
• 152053 - Photon OS 1.0: Linux PHSA-2021-1.0-0416
• 152055 - SUSE SLES12 Security Update : kernel (SUSE-SU-2021:2451-1)
• 152080 - RHEL 8 : OpenShift Container Platform 4.7.21 (RHSA-2021:2763)
• 152089 - Scientific Linux Security Update : kernel on SL7.x x86_64 (2021:2725)
• 152094 - Oracle Linux 6 : kernel (ELSA-2021-9374)
• 152108 - SUSE SLES15 Security Update : kernel (Live Patch 16 for SLE 15 SP2) (SUSE-SU-2021:2487-1)
• 152116 - SUSE SLES15 Security Update : kernel (Live Patch 14 for SLE 15 SP2) (SUSE-SU-2021:2538-1)
• 152142 - SUSE SLES15 Security Update : kernel (Live Patch 21 for SLE 15 SP1) (SUSE-SU-2021:2542-1)
• 152159 - SUSE SLES15 Security Update : kernel (Live Patch 22 for SLE 15 SP1) (SUSE-SU-2021:2560-1)
• 152160 - SUSE SLES15 Security Update : kernel (Live Patch 2 for SLE 15 SP3) (SUSE-SU-2021:2559-1)
• 152188 - SUSE SLES12 / SLES15 Security Update : kernel (Live Patch 18 for SLE 12 SP4) (SUSE-SU-2021:2584-1)
• 152195 - Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2021-9395)
• 152200 - SUSE SLES15 Security Update : kernel (SUSE-SU-2021:2599-1)
• 152308 - EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-2246)
• 152313 - EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-2272)
• 152382 - Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2021-9404)
• 152389 - Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2021-9406)
• 152398 - OracleVM 3.4 : kernel-uek (OVMSA-2021-0025)
• 152438 - RHEL 8 : kernel (RHSA-2021:3057)
• 152441 - RHEL 8 : kernel-rt (RHSA-2021:3088)
• 152444 - RHEL 8 : kpatch-patch (RHSA-2021:3044)
• 152464 - Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2021-9407)
• 152465 - Oracle Linux 7 : Unbreakable Enterprise kernel-container (ELSA-2021-9410)
• 152481 - SUSE SLES12 Security Update : kernel (SUSE-SU-2021:2643-1)
• 152493 - Oracle Linux 8 : kernel (ELSA-2021-3057)
• 152536 - Ubuntu 16.04 LTS : Linux kernel vulnerability (USN-5039-1)
• 152545 - SUSE SLES15 Security Update : kernel (SUSE-SU-2021:2678-1)

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file suse_SU-2021-2577-1.nasl version 1.4. For more plugins, visit the Nessus Plugin Library.

Go back to menu.