Malware Devil

Loading...

Thursday, June 24, 2021

ESB-2021.2223 – [SUSE] cryptctl: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.2223
Security update for cryptctl
24 June 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: cryptctl
Publisher: SUSE
Operating System: SUSE
Impact/Access: Access Confidential Data — Unknown/Unspecified
Reduced Security — Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2019-18906

Original Bulletin:
https://www.suse.com/support/update/announcement/2021/suse-su-20212137-1
https://www.suse.com/support/update/announcement/2021/suse-su-20212136-1

Comment: This bulletin contains two (2) SUSE security advisories.

– ————————–BEGIN INCLUDED TEXT——————–

SUSE Security Update: Security update for cryptctl

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:2137-1
Rating: important
References: #1186226
Cross-References: CVE-2019-18906
Affected Products:
SUSE Linux Enterprise Server for SAP 12-SP5
SUSE Linux Enterprise Server for SAP 12-SP4
SUSE Linux Enterprise Server for SAP 12-SP3
SUSE Linux Enterprise Server 12-SP5
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for cryptctl fixes the following issues:
Update to version 2.4:

o CVE-2019-18906: Client side password hashing was equivalent to clear text
password storage (bsc#1186226)
o First step to use plain text password instead of hashed password.
o Move repository into the SUSE github organization
o in RPC server, if client comes from localhost, remember its ipv4 localhost
address instead of ipv6 address
o tell a record to clear expired pending commands upon saving a command
result; introduce pending commands RPC test case
o avoid hard coding 127.0.0.1 in host ID of alive message test; let system
administrator mount and unmount disks by issuing these two commands on key
server.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Linux Enterprise Server for SAP 12-SP5:
zypper in -t patch SUSE-SLE-SAP-12-SP5-2021-2137=1
o SUSE Linux Enterprise Server for SAP 12-SP4:
zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-2137=1
o SUSE Linux Enterprise Server for SAP 12-SP3:
zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-2137=1
o SUSE Linux Enterprise Server 12-SP5:
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-2137=1

Package List:

o SUSE Linux Enterprise Server for SAP 12-SP5 (ppc64le x86_64):
cryptctl-2.4-2.10.1
cryptctl-debuginfo-2.4-2.10.1
o SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):
cryptctl-2.4-2.10.1
cryptctl-debuginfo-2.4-2.10.1
o SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64):
cryptctl-2.4-2.10.1
cryptctl-debuginfo-2.4-2.10.1
o SUSE Linux Enterprise Server 12-SP5 (ppc64le x86_64):
cryptctl-2.4-2.10.1
cryptctl-debuginfo-2.4-2.10.1

References:

o https://www.suse.com/security/cve/CVE-2019-18906.html
o https://bugzilla.suse.com/1186226

– ——————————————————————————–

SUSE Security Update: Security update for cryptctl

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:2136-1
Rating: important
References: #1186226
Cross-References: CVE-2019-18906
Affected Products:
SUSE Manager Server 4.0
SUSE Manager Retail Branch Server 4.0
SUSE Manager Proxy 4.0
SUSE Linux Enterprise Server for SAP 15-SP1
SUSE Linux Enterprise Server 15-SP1-LTSS
SUSE Linux Enterprise Server 15-SP1-BCL
SUSE Linux Enterprise Module for SAP Applications 15-SP1
SUSE Linux Enterprise Module for SAP Applications 15
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Module for Basesystem 15-SP2
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS
SUSE Enterprise Storage 6
SUSE CaaS Platform 4.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for cryptctl fixes the following issues:
Update to version 2.4:

o CVE-2019-18906: Client side password hashing was equivalent to clear text
password storage (bsc#1186226)
o First step to use plain text password instead of hashed password.
o Move repository into the SUSE github organization
o in RPC server, if client comes from localhost, remember its ipv4 localhost
address instead of ipv6 address
o tell a record to clear expired pending commands upon saving a command
result; introduce pending commands RPC test case
o avoid hard coding 127.0.0.1 in host ID of alive message test; let system
administrator mount and unmount disks by issuing these two commands on key
server.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Manager Server 4.0:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-2136=1
o SUSE Manager Retail Branch Server 4.0:
zypper in -t patch
SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-2136=1
o SUSE Manager Proxy 4.0:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-2136=1
o SUSE Linux Enterprise Server for SAP 15-SP1:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-2136=1
o SUSE Linux Enterprise Server 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-2136=1
o SUSE Linux Enterprise Server 15-SP1-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-2136=1
o SUSE Linux Enterprise Module for SAP Applications 15-SP1:
zypper in -t patch SUSE-SLE-Module-SAP-Applications-15-SP1-2021-2136=1
o SUSE Linux Enterprise Module for SAP Applications 15:
zypper in -t patch SUSE-SLE-Module-SAP-Applications-15-2021-2136=1
o SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-2136=1
o SUSE Linux Enterprise Module for Basesystem 15-SP2:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-2136=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-2136=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-2136=1
o SUSE Enterprise Storage 6:
zypper in -t patch SUSE-Storage-6-2021-2136=1
o SUSE CaaS Platform 4.0:
To install this update, use the SUSE CaaS Platform ‘skuba’ tool. I will
inform you if it detects new updates and let you then trigger updating of
the complete cluster in a controlled way.

Package List:

o SUSE Manager Server 4.0 (ppc64le x86_64):
cryptctl-2.4-4.5.1
cryptctl-debuginfo-2.4-4.5.1
o SUSE Manager Retail Branch Server 4.0 (x86_64):
cryptctl-2.4-4.5.1
cryptctl-debuginfo-2.4-4.5.1
o SUSE Manager Proxy 4.0 (x86_64):
cryptctl-2.4-4.5.1
cryptctl-debuginfo-2.4-4.5.1
o SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64):
cryptctl-2.4-4.5.1
cryptctl-debuginfo-2.4-4.5.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (ppc64le x86_64):
cryptctl-2.4-4.5.1
cryptctl-debuginfo-2.4-4.5.1
o SUSE Linux Enterprise Server 15-SP1-BCL (x86_64):
cryptctl-2.4-4.5.1
cryptctl-debuginfo-2.4-4.5.1
o SUSE Linux Enterprise Module for SAP Applications 15-SP1 (ppc64le x86_64):
cryptctl-2.4-4.5.1
cryptctl-debuginfo-2.4-4.5.1
o SUSE Linux Enterprise Module for SAP Applications 15 (ppc64le x86_64):
cryptctl-2.4-4.5.1
cryptctl-debuginfo-2.4-4.5.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (ppc64le x86_64):
cryptctl-2.4-4.5.1
cryptctl-debuginfo-2.4-4.5.1
o SUSE Linux Enterprise Module for Basesystem 15-SP2 (ppc64le x86_64):
cryptctl-2.4-4.5.1
cryptctl-debuginfo-2.4-4.5.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64):
cryptctl-2.4-4.5.1
cryptctl-debuginfo-2.4-4.5.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64):
cryptctl-2.4-4.5.1
cryptctl-debuginfo-2.4-4.5.1
o SUSE Enterprise Storage 6 (x86_64):
cryptctl-2.4-4.5.1
cryptctl-debuginfo-2.4-4.5.1
o SUSE CaaS Platform 4.0 (x86_64):
cryptctl-2.4-4.5.1
cryptctl-debuginfo-2.4-4.5.1

References:

o https://www.suse.com/security/cve/CVE-2019-18906.html
o https://bugzilla.suse.com/1186226

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYNPPE+NLKJtyKPYoAQj2Cw/+IeE8QjsIjK3qpvOxRCnoA83B0XtyZlHx
iYGrvhCdZdeM6syRlmt4xtfMpDU7r23yxBW4gYyHOKgaPzLnHEJ2roYfGdivVhZ5
JK6DZLxc8vm8Zss0catl3AZOljghVyLfldxEGpGDz705vWSzddd03eskZqYOsSAQ
jO266P0uNwyhQhLsaQv/E3Cm5paAd7WLSqgnFhZXIyjcjJqdt2qjZ8LbC2pydlUV
bwgiptBZM+yxbi70Hntd09HpNp1TCXp2WyAoHreKJV8nLieQ06UJ59BJSwJJpazv
XD4iPJi20ELNnG+SPTIXjxky20xFokRIjHUV8n3rqmXK0w4C3w4cqAYJiPFkb+NP
Ykdo4OJMwJn54jMVJMQCV8ThlGCQxbOydcgyPJU+HL4f8c+yhgbHIDKBShU2r0Ik
cM2hea4WJ8h1NoD49im7sbxAETscSJ6RWTRVTsCECv26hmwIzc3WYG+mI3/zXGdC
7Xc66E2oT6wc1/vulc1iezhcjsdIXi1c5TfR5l8P86W7zT6gVpfbIR3a90R/fJYN
v9kOp5E9bvhTjCLpACDo8ZU88IOU6v+6e2+KcKVs+btfSMlZX9LW/WT1L2DN7npB
0vCAFJ4yh73rL85OV1M2f/oGZG1QZU3g4JrMTWCar69dLDiucGQOgnntUdIu/HVx
vz0dK+1FZTk=
=v8PI
—–END PGP SIGNATURE—–

Read More

The post ESB-2021.2223 – [SUSE] cryptctl: Multiple vulnerabilities appeared first on Malware Devil.



https://malwaredevil.com/2021/06/24/esb-2021-2223-suse-cryptctl-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-2223-suse-cryptctl-multiple-vulnerabilities
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...