SB2021101281 - SUSE update for the Linux Kernel

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Cryptographic Issues (CVE-ID: CVE-2020-3702)

The vulnerability allows a remote attacker to gain access top sensitive information.

The vulnerability exists due to improper input validation in WIFI driver(Krook). A remote attacker can temporary disable WPA2 or the WPA/WPA2 mixed-mode encryption and intercept traffic in clear text.

2) Memory leak (CVE-ID: CVE-2021-3744)

The vulnerability allows a local user to perform DoS attack on the target system.

The vulnerability exists due memory leak in the ccp_run_aes_gcm_cmd() function in drivers/crypto/ccp/ccp-ops.c. A local user can force the application to leak memory and perform denial of service attack.

3) Use-after-free (CVE-ID: CVE-2021-3752)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in the Linux kernel’s Bluetooth subsystem when a user calls connect to the socket and disconnect simultaneously. A local user can escalate privileges on the system.

4) Memory leak (CVE-ID: CVE-2021-3764)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak error in the ccp_run_aes_gcm_cmd() function in Linux kernel. A local user can trigger a memory leak error and perform a denial of service (DoS) attack.

5) Race condition (CVE-ID: CVE-2021-40490)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.

Remediation

Install update from vendor's website.

References

• https://www.suse.com/support/update/announcement/2021/suse-su-20213386-1/