MGASA-2023-0295 - Updated kernel packages fix security vulnerabilities

Publication date: 22 Oct 2023
URL: https://advisories.mageia.org/MGASA-2023-0295.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2023-1076,
     CVE-2023-4155,
     CVE-2023-4921,
     CVE-2023-5197,
     CVE-2023-25775,
     CVE-2023-42754,
     CVE-2023-42756

This kernel update is based on upstream 6.4.16 and fixes or adds
mitigations for atleast the following security issues:

A flaw was found in the Linux Kernel. The tun/tap sockets have their
socket UID hardcoded to 0 due to a type confusion in their
initialization function. While it will be often correct, as tuntap
devices require CAP_NET_ADMIN, it may not always be the case, e.g., a
non-root user only having that capability. This would make tun/tap
sockets being incorrectly treated in filtering/routing decisions,
possibly bypassing network filters. CVE-2023-1076

A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the
Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs
can trigger a double fetch race condition vulnerability and invoke the
`VMGEXIT` handler recursively. If an attacker manages to call the
handler multiple times, they can trigger a stack overflow and cause a
denial of service or potentially guest-to-host escape in kernel
configurations without stack guard pages (`CONFIG_VMAP_STACK`).
CVE-2023-4155

A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq
component can be exploited to achieve local privilege escalation. When
the plug qdisc is used as a class of the qfq qdisc, sending network
packets triggers use-after-free in qfq_dequeue() due to the incorrect
.peek handler of sch_plug and lack of error checking in agg_dequeue().
We recommend upgrading past commit
8fc134fee27f2263988ae38920bc03da416b03d8. CVE-2023-4921

A use-after-free vulnerability in the Linux kernel's netfilter:
nf_tables component can be exploited to achieve local privilege
escalation. Addition and removal of rules from chain bindings within the
same transaction causes leads to use-after-free. We recommend upgrading
past commit f15f29fd4779be8a418b66e9d52979bb6d6c2325. CVE-2023-5197

Improper access control in the Intel(R) Ethernet Controller RDMA driver
for linux before version 1.9.30 may allow an unauthenticated user to
potentially enable escalation of privilege via network access.
CVE-2023-25775

A NULL pointer dereference flaw was found in the Linux kernel ipv4
stack. The socket buffer (skb) was assumed to be associated with a
device before calling __ip_options_compile, which is not always the case
if the skb is re-routed by ipvs. This issue may allow a local user with
CAP_NET_ADMIN privileges to crash the system. CVE-2023-42754

A flaw was found in the Netfilter subsystem of the Linux kernel. A race
condition between IPSET_CMD_ADD and IPSET_CMD_SWAP can lead to a kernel
panic due to the invocation of `__ip_set_put` on a wrong `set`. This
issue may allow a local user to crash the system. CVE-2023-42756

For other upstream fixes in this update, see the referenced changelogs.

References:
- https://bugs.mageia.org/show_bug.cgi?id=32296
- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.10
- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.11
- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.12
- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.13
- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.14
- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.15
- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.16
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1076
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4155
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4921
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5197
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25775
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42754
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42756

SRPMS:
- 9/core/kernel-6.4.16-3.mga9
- 9/core/kmod-virtualbox-7.0.10-33.mga9
- 9/core/kmod-xtables-addons-3.24-48.mga9

Mageia 2023-0295: kernel security update

This kernel update is based on upstream 6.4.16 and fixes or adds mitigations for atleast the following security issues: A flaw was found in the Linux Kernel

Summary

This kernel update is based on upstream 6.4.16 and fixes or adds mitigations for atleast the following security issues:
A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters. CVE-2023-1076
A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`). CVE-2023-4155
A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue(). We recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8. CVE-2023-4921
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Addition and removal of rules from chain bindings within the same transaction causes leads to use-after-free. We recommend upgrading past commit f15f29fd4779be8a418b66e9d52979bb6d6c2325. CVE-2023-5197
Improper access control in the Intel(R) Ethernet Controller RDMA driver for linux before version 1.9.30 may allow an unauthenticated user to potentially enable escalation of privilege via network access. CVE-2023-25775
A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system. CVE-2023-42754
A flaw was found in the Netfilter subsystem of the Linux kernel. A race condition between IPSET_CMD_ADD and IPSET_CMD_SWAP can lead to a kernel panic due to the invocation of `__ip_set_put` on a wrong `set`. This issue may allow a local user to crash the system. CVE-2023-42756
For other upstream fixes in this update, see the referenced changelogs.

References

- https://bugs.mageia.org/show_bug.cgi?id=32296

- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.10

- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.11

- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.12

- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.13

- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.14

- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.15

- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.16

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1076

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4155

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4921

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5197

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25775

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42754

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42756

Resolution

MGASA-2023-0295 - Updated kernel packages fix security vulnerabilities

SRPMS

- 9/core/kernel-6.4.16-3.mga9

- 9/core/kmod-virtualbox-7.0.10-33.mga9

- 9/core/kmod-xtables-addons-3.24-48.mga9

Severity
Publication date: 22 Oct 2023
URL: https://advisories.mageia.org/MGASA-2023-0295.html
Type: security
CVE: CVE-2023-1076, CVE-2023-4155, CVE-2023-4921, CVE-2023-5197, CVE-2023-25775, CVE-2023-42754, CVE-2023-42756

Related News

News

Powered By

Footer Logo

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

Powered By

Footer Logo