Added content for two sections

Description of two vulnerabilities added
SUSE · May 28, 2024 · ae62b93 · ae62b93
1 parent 3ea5f08
commit ae62b93
Showing 1 changed file with 63 additions and 80 deletions.
diff --git a/xml/MAIN-SBP-SUSE-security-report-2023.xml b/xml/MAIN-SBP-SUSE-security-report-2023.xml
@@ -37,7 +37,7 @@
   <meta name="social-descr">SUSE Security Report 2023</meta>
 <!--  <meta name="productname">
    <productname>All SUSE Products</productname>
-  </meta>
+  </meta>-->
 
   <meta name="platform">All SUSE Products</meta>
 
@@ -90,7 +90,7 @@
    </revision>
   </revhistory>
 
-<!--  <date>2024-05-27</date>-->
+  <!--<date>2024-05-27</date>-->
 
   <abstract>
 
@@ -152,11 +152,9 @@
    classification mechanisms, we have described our rating system along with the equivalency of each rating 
    to the CVSS v3.1 scoring calculator.</para>
 
-
-
  </sect1>
 
- <sect1 xml:id="sec-background">
+ <!--<sect1 xml:id="sec-background">
   <title>Background</title>
 
   <para>A modern Linux operating system, such as SUSE Linux Enterprise Server for enterprise use or
@@ -197,9 +195,9 @@
    components, like Xen, Samba, X.ORG. Confidential pre-notifications about vulnerabilities will be
    treated according to established responsible disclosure procedures.</para>
 
- </sect1>
+ </sect1>-->
 
- <sect1 xml:id="sec-incident-rating-tracking">
+ <!--<sect1 xml:id="sec-incident-rating-tracking">
   <title>Incident rating and tracking</title>
 
   <para>We rate the severity of incidents with two different systems, a simplified rating system and
@@ -241,8 +239,8 @@
    information.</para>
 
   <para>The objective of this report is to provide a summary of all security vulnerabilities which
-   affected SUSE products in calendar year 2022. We will go into details on the high impact
-   vulnerabilities which affected our prour products in 2022 and elaborate on how we responded to
+   affected SUSE products in calendar year 2023. We will go into details on the high impact
+   vulnerabilities which affected our prour products in 2023 and elaborate on how we responded to
    these incidents. For a better understanding of our classification mechanisms, we have described
    our rating system along with the equivalency of each rating to the CVSS v3.1 scoring
    calculator:</para>
@@ -301,9 +299,9 @@
      </row>
     </tbody>
    </tgroup>
-  </table>
+  </table>-->
 
- </sect1>
+ <!--</sect1>
 
  <sect1 xml:id="sec-prefer-upgrades-over-backports">
   <title>When to prefer version upgrades over backports</title>
@@ -316,120 +314,105 @@
    line. </para>
 
   <para>Sometimes also for other types of packages the choice is made to introduce a new version
-   rather than a backport. This is done when producing a backport is not economically feasible or
+<!-\-   rather than a backport. This is done when producing a backport is not economically feasible or
    when there is a very relevant technical reason to introduce the newer version.</para>
 
- </sect1>
+ </sect1>-->
 
- <sect1 xml:id="sec-security-vulnerabilities-2022">
-  <title>Major security vulnerabilities in 2022</title>
+ <sect1 xml:id="sec-security-vulnerabilities-2023">
+  <title>Major security vulnerabilities in 2023</title>
 
   <sect2 xml:id="sec-pwnkit">
-   <title>pwnkit</title>
+   <title>CVE-2023-38408: Remote code execution in OpenSSH's forwarded ssh-agent</title>
 
    <bridgehead>Overview</bridgehead>
-   <para>In the beginning of January, Qualys securcal root exploit in "pkexec" component of polkit.
-    The pkexec application is a setuid tool designed to allow unprivileged users to run commands as
-    privileged users according predefined policies. Local attackers could use the setuid root
-    /usr/bin/pkexec binary to reliably escalate privileges to root. The previous version of pkexec
-    did not handle the calling parameters count correctly and ends trying to execute environment
-    variables as commands. An attacker could leverage this by crafting environment variables in such
-    a way it would induce pkexec to execute arbitrary code. When successfully executed the attack
-    could cause a local privilege escalation from unprivileged users able to execute pkexec to
-    root.</para>
-
-   <para>This vulnerability affected all SUSE Linux Enterprise Server 12 and SUSE Linux Enterprise
-    Server 15 service packs. It did not affect SUSE Linux Enterprise Server 11, as it used a
-    previous generation called <quote>PolicyKit</quote>.</para>
+   <para>n July 2023, The Qualys Threat Research Unit (TRU) has discovered a remote code 
+    execution vulnerability in OpenSSH’s forwarded <package>ssh-agent</package>. This vulnerability allows a remote 
+    attacker to potentially execute arbitrary commands on vulnerable OpenSSH’s forwarded <package>ssh-agent</package>. </para>
+
+   <para>Attackers must be able to access a host via SSH to escalate privileges on that host by exploiting 
+    a flaw in the <package>pkcs11</package> module loading of the SSH agent. As the <package>pkcs11</package> agent helper allowed loading of 
+    system dynamic libraries, certain loading patterns and problems in system libraries could be used 
+    to gain code execution as the <package>pkcs11</package> helper.</para>
 
    <bridgehead>Solution</bridgehead>
    <para> Installing the updated packages provided by SUSE is sufficient to fix the problem.
     Use</para>
 
-   <screen>zypper lp -a --cve=CVE-2021-4034</screen>
+   <screen>zypper lp -a --cve=CVE-2023-38408</screen>
 
    <para> to search for the specific patch information. A restart of the service is not
     required.</para>
 
-   <para>Note that for any SPx (Service Pack level) which is no longer in general support, an LTSS
-    or ESPOS subscription may be needed to obtain the update. See the SUSE <quote>CVE Page</quote>
-    link in the <quote>References</quote> paragraph below for more details about each SPx. In future
-    releases, SUSE has split out <package>pkexec</package> from the default installed
-     <package>polkit-1</package> packages, to allow reducing the attack surface if
-     <package>pkexec</package> is not required on the system.</para>
+   <para>Note that for any SPx (Service Pack level) which is no longer in general support, you might need an LTSS
+    or ESPOS subscription to obtain the update. See the SUSE <quote>CVE Page</quote>
+    link in the <quote>References</quote> paragraph below for more details about each SPx.</para>
 
    <bridgehead>Workaround</bridgehead>
-   <para> It is also possible to remove the setuid bit
-    from <filename>/usr/bin/pkexec </filename>with </para>
-
-   <screen>chmod 755 /usr/bin/pkexec</screen>
+   <para>In case PKCS11 smartcards are not used for SSH agent support, remove 
+    <filename>/usr/lib/ssh/ssh-pkcs11-helper</filename> from the system until maintenance updates 
+    have been released.</para>
+
+   <para>The workaround prevents exploitation and might be the right thing to do given how easy the exploit it, 
+    but customers must be aware that this will break functionality until the update is installed.</para>
 
-   <para>or even by deleting <filename>/usr/bin/pkexec</filename> until fixed packages can be
-    installed.</para>
-
-   <para>SUSE does not recommend removing the <command>setuid</command> bit as it will cause
-    breakage on the system. Removing the <command>setuid</command> permission from
-     the<package>pkexec</package> binary will prevent it from working properly for legitimate use
-    cases. This means that any application which relies on <package>pkexec</package> execution will
-    stop working, possibly causing unexpected system errors and behavior. The workaround prevents
-    exploitation and might be the right thing to do given how easy the exploit it, but customers
-    must be aware that this will break functionality until the update is installed.</para>
 
    <bridgehead>References</bridgehead>
 
    <itemizedlist>
     <listitem>
-     <para> SUSE CVE Web page for CVE-2021-4034: <link
-       xlink:href="https://www.suse.com/security/cve/CVE-2021-4034.html"/></para>
+     <para> SUSE Web page for CVE-2023-38408: <link
+      xlink:href="https://www.suse.com/security/cve/CVE-2023-38408.html"/></para>
     </listitem>
     <listitem>
-     <para>SUSE Technical Information Document (TID) 000020564: <link
-       xlink:href="https://www.suse.com/support/kb/doc/?id=000020564"/></para>
+     <para>Blog article: <link
+      xlink:href="https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent"/></para>
     </listitem>
    </itemizedlist>
 
   </sect2>
 
 
-  <sect2 xml:id="sec-samba-vfs-remote">
-   <title>Samba vfs_fruit remote code execution</title>
+  <sect2 xml:id="sec-zenbleed">
+   <title>CVE-2023-20593: AMD CPU: "ZenBleed" - VZEROUPPER does not clear upper bits under certain conditions</title>
 
    <bridgehead>Overview</bridgehead>
-   <para> Researcher Orange Tsai from DEVCORE reported a remote buffer overflow in the
-     <quote>fruit</quote> vfs module of Samba, tracked under CVE-2021-44142. The fruit module, which
-    is used by Samba for Apple-related extended attribute storage, can be exploited by remote
-    attackers with access to the Samba server to execute code as the Samba server (basically as
-    root). The Samba <package>vfs_fruit</package> module uses extended file attributes (EA, xattr)
-    to provide <quote>[...] enhanced compatibility with Apple SMB clients and interoperability with
-     a Netatalk 3 AFP file server.</quote> Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with
-     <package>vfs_fruit</package> configured allow out-of-bounds heap read and write via specially
-    crafted extended file attributes. A remote attacker with write access to extended file
-    attributes can execute arbitrary code with the privileges of smbd, typically root.</para>
+   <para> Researchers at Google have discovered Zenbleed, a hardware bug causing corruption of the vector registers.</para>
+
+   <para>When a VZEROUPPER instruction is discarded as part of a bad transient execution path, its effect 
+    on internal tracking is not unwound correctly. This manifests as the wrong micro-architectural state 
+    becoming architectural, and corrupting the vector registers.</para>
+
+   <para><emphasis>Note:</emphasis> While this malfunction is related to speculative execution, 
+    this is not a speculative side-channel vulnerability.</para>
+
+   <para>The corruption is not random. It happens to be stale values from the physical vector register file, 
+    a structure competitively shared between sibling threads. Therefore, an attacker can directly access data from 
+    the sibling thread, or from a more privileged context.</para>
 
    <bridgehead>Solution</bridgehead>
-   <para>The <quote>fruit</quote> vfs module is not configured by default. To determine if it is
-    used, check for a line starting with <command>"vfs objects="</command> with <quote>fruit</quote>
-    listed in <filename>/etc/samba/smb.conf</filename>.</para>
-
-   <para>Packages containing a fix for this security issue were made available quickly. They should
-    be installed using</para>
+   <para>Packages containing a fix for this security issue were made available quickly. 
+    To apply the fixes, install the new packages with the following command:</para>
 
-   <screen>zypper patch --cve=CVE-2021-44142</screen>
+   <screen>zypper patch --cve=CVE-2023-20593</screen>
 
-   <para>for applying the fixed packages. </para>
 
    <bridgehead>References</bridgehead>
 
    <itemizedlist>
     <listitem>
-     <para>SUSE TID 000020564: <link xlink:href="https://www.suse.com/support/kb/doc/?id=000020564"
-      /></para>
+     <para>SUSE Web page for CVE-2023-20593 : <link
+      xlink:href="https://www.suse.com/security/cve/CVE-2023-20593.html"/></para>
     </listitem>
     <listitem>
-     <para>SUSE CVE-2021-4034 Web page: <link
-       xlink:href="https://www.suse.com/security/cve/CVE-2021-4034.html"/></para>
+     <para>AMD Security Bulletin: <link xlink:href="https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html"
+    /></para>
     </listitem>
-   </itemizedlist>
+    <listitem>
+     <para>GitHub security research article: <link xlink:href="https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8"
+     /></para>
+    </listitem>
+    </itemizedlist>
 
   </sect2>
 
@@ -473,7 +456,7 @@
       /></para>
     </listitem>
     <listitem>
-     <para>SUSE CVE-2022-0435 Web page: <link
+     <para>SUSE Web page for CVE-2022-0435 : <link
        xlink:href="https://www.suse.com/security/cve/CVE-2022-0435.html"/></para>
     </listitem>
    </itemizedlist>