Malte Kraus

**Name of the Vulnerable Software and Affected Versions** RPM (affected versions not specified) **Description** A symbolic link issue was found in rpm, occurring when rpm sets the desired permissions and credentials after installing a file. This flaw could be exploited by a local unprivileged user to exchange the original file with a symbolic link to a security-critical file, potentially escalating their privileges on the system. The highest threat from this issue is to data confidentiality and integrity as well as system availability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SUSE Linux Enterprise Server for SAP 12-SP5 cryptctl versions prior to 2.4 SUSE Manager Server 4.0 cryptctl versions prior to 2.4 **Description** A vulnerability in cryptctl allows attackers with access to the hashed password to use it without having to crack it. This issue enables attackers to bypass proper authentication mechanisms. **Recommendations** For SUSE Linux Enterprise Server for SAP 12-SP5 cryptctl versions prior to 2.4, update to version 2.4 or later. For SUSE Manager Server 4.0 cryptctl versions prior to 2.4, update to version 2.4 or later.

**Name of the Vulnerable Software and Affected Versions** SUSE Linux Enterprise Module for SUSE Manager Server 4.1 SUSE Manager Proxy 4.0 versions prior to 4.0.9-0.16.38.1 SUSE Manager Retail Branch Server 4.0 versions prior to 4.0.9-0.16.38.1 SUSE Manager Server 3.2 SUSE Manager Server 4.0 versions prior to 4.0.9-3.54.1 google-gson versions prior to 2.8.5-3.4.3 httpcomponents-client versions prior to 4.5.6-3.4.2 **Description** A vulnerability in the configuration of salt allows local users to escalate to root on every system managed by SUSE manager. On the managing node itself, code can be executed as user salt, potentially allowing for escalation to root there. **Recommendations** For SUSE Linux Enterprise Module for SUSE Manager Server 4.1, update to a version that includes the fix for this issue. For SUSE Manager Proxy 4.0, update to version 4.0.9-0.16.38.1 or later. For SUSE Manager Retail Branch Server 4.0, update to version 4.0.9-0.16.38.1 or later. For SUSE Manager Server 3.2, update salt-netapi-client to version 0.16.0-4.14.1 or later. For SUSE Manager Server 4.0, update to version 4.0.9-3.54.1 or later. For google-gson, update to version 2.8.5-3.4.3 or later. For httpcomponents-client, update to version 4.5.6-3.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** SUSE Linux Enterprise Server 12 versions prior to 2015.09.28.1626-17.27.1 SUSE Linux Enterprise Server 15 versions prior to 20181116-9.23.1 SUSE Linux Enterprise Server 11 versions prior to 2013.1.7-0.6.12.1 **Description** A UNIX Symbolic Link (Symlink) Following issue in chkstat affects SUSE Linux Enterprise Server, causing it to set permissions intended for specific binaries on other binaries because it erroneously follows symlinks. However, exploitation is difficult since the symlinks cannot be controlled by attackers on default systems. This issue is related to the incorrect determination of a link before accessing a file, which may allow an attacker to elevate their privileges. **Recommendations** For SUSE Linux Enterprise Server 12 versions prior to 2015.09.28.1626-17.27.1, update to a version newer than 2015.09.28.1626-17.27.1 to resolve the issue. For SUSE Linux Enterprise Server 15 versions prior to 20181116-9.23.1, update to a version newer than 20181116-9.23.1 to resolve the issue. For SUSE Linux Enterprise Server 11 versions prior to 2013.1.7-0.6.12.1, update to a version newer than 2013.1.7-0.6.12.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SUSE Linux Enterprise Server 12 wicked versions prior to 0.6.60-2.18.1 SUSE Linux Enterprise Server 15 wicked versions prior to 0.6.60-28.26.1 openSUSE Leap 15.1 wicked versions prior to 0.6.60-lp151.2.9.1 openSUSE Factory wicked versions prior to 0.6.62 **Description** A Use After Free issue in wicked allows remote attackers to cause Denial of Service (DoS) or potentially execute code. **Recommendations** For SUSE Linux Enterprise Server 12, update wicked to version 0.6.60-2.18.1 or later. For SUSE Linux Enterprise Server 15, update wicked to version 0.6.60-28.26.1 or later. For openSUSE Leap 15.1, update wicked to version 0.6.60-lp151.2.9.1 or later. For openSUSE Factory, update wicked to version 0.6.62 or later.

**Name of the Vulnerable Software and Affected Versions** openSUSE wicked versions 0.6.55 and earlier **Description** A memory leak in the `ni dhcp4 fsm process dhcp4 packet` function allows network attackers to cause a denial of service by sending DHCP4 packets with a different `client-id`. **Recommendations** For versions 0.6.55 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SUSE Linux Enterprise Server 12 wicked versions prior to 0.6.60-3.5.1 SUSE Linux Enterprise Server 15 wicked versions prior to 0.6.60-3.21.1 openSUSE Leap 15.1 wicked versions prior to 0.6.60-lp151.2.6.1 openSUSE Factory wicked versions prior to 0.6.62 **Description** A Use After Free issue in wicked allows remote attackers to cause Denial of Service (DoS) or potentially execute code. **Recommendations** For SUSE Linux Enterprise Server 12, update wicked to version 0.6.60-3.5.1 or later. For SUSE Linux Enterprise Server 15, update wicked to version 0.6.60-3.21.1 or later. For openSUSE Leap 15.1, update wicked to version 0.6.60-lp151.2.6.1 or later. For openSUSE Factory, update wicked to version 0.6.62 or later.

**Name of the Vulnerable Software and Affected Versions** openSUSE wicked versions 0.6.55 and earlier **Description** A memory leak in the `ni dhcp4 parse response` function allows network attackers to cause a denial of service by sending DHCP4 packets without a message type option. This issue can be exploited by sending specifically crafted packets, potentially leading to a denial of service. **Recommendations** For openSUSE wicked versions 0.6.55 and earlier, update to a version later than 0.6.55 to resolve the issue. As a temporary workaround, consider restricting access to the network to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SUSE Linux Enterprise Server permissions versions starting from 85c83fef7e017f8ab7f8602d3163786d57344439 to 081d081dcfaf61710bda34bc21c80c66276119aa **Description** The issue in the permission package of SUSE Linux Enterprise Server allowed all local users to run dumpcap in the "easy" permission profile, enabling them to sniff network traffic. **Recommendations** For SUSE Linux Enterprise Server permissions versions starting from 85c83fef7e017f8ab7f8602d3163786d57344439 to 081d081dcfaf61710bda34bc21c80c66276119aa, consider restricting the use of the "easy" permission profile to prevent unauthorized access to network traffic. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** permissions package versions prior to commit a9e1d26cd49ef9ee0c2060c859321128a6dd4230 openSUSE Leap (affected versions not specified) **Description** The issue is related to the chkstat tool in the permissions package, which followed symlinks, allowing local attackers with control over a traversed path to escalate privileges. This is due to errors in handling symbolic links. **Recommendations** For versions prior to commit a9e1d26cd49ef9ee0c2060c859321128a6dd4230, consider applying the fix committed in a9e1d26cd49ef9ee0c2060c859321128a6dd4230 and review additional hardenings. For openSUSE Leap, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pam-python versions prior to 1.0.7-1 **Description** The issue is related to insecure privilege management in the pam-python PAM module, which allows an attacker to escalate privileges using a specially crafted binary file with the setuid flag. This can lead to local root escalation in certain PAM setups. The vulnerability is due to the default environment variable handling of Python, which can be manipulated by a local user to gain access with root privileges. **Recommendations** For versions prior to 1.0.7-1, update to version 1.0.7-1 or later to resolve the issue. As a temporary workaround, consider restricting access to the pam-python module to minimize the risk of exploitation. Avoid using the default environment variable handling of Python in PAM setups until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** nfs-utils versions prior to 1.3.0-34.18.1 nfs-utils versions prior to 2.1.1-6.10.2 **Description** The issue is related to the incorrect assignment of standard permissions in the `nsm drop privileges` function of the nfs-utils package. This can allow a remote attacker to access confidential data, compromise its integrity, and trick processes running with root privileges into creating or overwriting files anywhere on the system. The directory `/var/lib/nfs` is owned by `statd:nogroup` and contains files owned and managed by root, which can be exploited if `statd` is compromised. **Recommendations** For versions prior to 1.3.0-34.18.1, update to a version later than 1.3.0-34.18.1 to resolve the issue. For versions prior to 2.1.1-6.10.2, update to a version later than 2.1.1-6.10.2 to resolve the issue. As a temporary workaround, consider restricting access to the `/var/lib/nfs` directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GVFS versions 1.29.4 through 1.41.2 **Description** The issue is related to errors in handling permissions in the daemon/gvfsbackendadmin.c component of the GVFS subsystem in the GNOME desktop environment for Linux operating systems. This can allow a remote attacker to impact the integrity, confidentiality, and availability of protected information. The problem arises because the setfsuid function is not used, leading to mishandling of file ownership. **Recommendations** For GVFS versions 1.29.4 through 1.41.2, consider restricting access to the `gvfsbackendadmin.c` component until a patch is available. As a temporary workaround, avoid using the affected GVFS backend to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GNOME gvfs versions 1.29.4 through 1.41.2 **Description** The issue is caused by a race condition in the daemon/gvfsbackendadmin.c component of the GVFS subsystem in the GNOME desktop environment for Linux operating systems. This occurs due to concurrent execution using a shared resource with incorrect synchronization, allowing a remote attacker to potentially impact the integrity, confidentiality, and availability of protected information. **Recommendations** For versions 1.29.4 through 1.41.2, consider disabling the admin backend functionality in daemon/gvfsbackendadmin.c as a temporary workaround until a patch is available. Restrict access to the vulnerable GVFS subsystem to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GNOME gvfs versions 1.29.4 through 1.41.2 **Description** The issue is related to the mishandling of a file's user and group ownership during move and copy operations from admin:// to file:// URIs in the daemon/gvfsbackendadmin.c component of the GVFS subsystem in GNOME. This is due to the unavailability of root privileges. The vulnerability may allow a remote attacker to impact the integrity, confidentiality, and availability of protected information when copying files using G FILE COPY ALL METADATA. **Recommendations** For versions 1.29.4 through 1.41.2, consider restricting the use of the `daemon/gvfsbackendadmin.c` component until a patch is available, especially when performing operations involving admin:// and file:// URIs. Avoid using the `G FILE COPY ALL METADATA` option for copying files between these URIs to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SUSE Manager versions prior to 4.0.7 Uyuni versions prior to commit 1b426ad5ed0a7191a6fb46bb83e98ae4b99a5ade **Description** The issue arises when the system does not have a swap already configured and does not use btrfs as its filesystem, resulting in the creation of world-readable swap files. **Recommendations** For SUSE Manager versions prior to 4.0.7, update to version 4.0.7 or later to resolve the issue. For Uyuni versions prior to commit 1b426ad5ed0a7191a6fb46bb83e98ae4b99a5ade, update to a version that includes the fix, specifically a commit after 1b426ad5ed0a7191a6fb46bb83e98ae4b99a5ade.

**Name of the Vulnerable Software and Affected Versions** SUSE Linux Enterprise Module for Development Tools 15 osc versions prior to 0.169.1-3.20.1 SUSE Linux Enterprise Software Development Kit 12-SP5 osc versions prior to 0.162.1-15.9.1 SUSE Linux Enterprise Software Development Kit 12-SP4 osc versions prior to 0.162.1-15.9.1 openSUSE Leap 15.1 osc versions prior to 0.169.1-lp151.2.15.1 openSUSE Factory osc versions prior to 0.169.0 **Description** A External Control of File Name or Path vulnerability in osc of SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Software Development Kit 12-SP5, SUSE Linux Enterprise Software Development Kit 12-SP4, openSUSE Leap 15.1, and openSUSE Factory allowed remote attackers that can change downloaded packages to overwrite arbitrary files. This issue is related to incorrect external control of file name or path, which may allow a remote attacker to elevate their privileges. **Recommendations** For SUSE Linux Enterprise Module for Development Tools 15 osc versions prior to 0.169.1-3.20.1, update to version 0.169.1-3.20.1 or later. For SUSE Linux Enterprise Software Development Kit 12-SP5 osc versions prior to 0.162.1-15.9.1, update to version 0.162.1-15.9.1 or later. For SUSE Linux Enterprise Software Development Kit 12-SP4 osc versions prior to 0.162.1-15.9.1, update to version 0.162.1-15.9.1 or later. For openSUSE Leap 15.1 osc versions prior to 0.169.1-lp151.2.15.1, update to version 0.169.1-lp151.2.15.1 or later. For openSUSE Factory osc versions prior to 0.169.0, update to version 0.169.0 or later.