OpenSUSE Linux update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 CVE-2019-5736 CVE-2019-6486 |
| CWE-ID | CWE-77 CWE-22 CWE-20 CWE-264 CWE-400 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #5 is available. |
| Vulnerable software Subscribe |
SUSE Linux Operating systems & Components / Operating system |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Command injection
EUVDB-ID: #VU16545
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-16873
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists in the go get command due to import path of a malicious Go package, or a package that imports it directly or indirectly. A remote unauthenticated attacker can use a vanity import path that ends with "/.git", use custom domains to arrange things so that a Git repository is cloned to a folder named ".git", trick the victim into considering the parent directory as a repository root, and run Git commands on it that will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, and execute arbitrary code on the system running "go get -u".
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages.
SUSE Linux: 15
External linkshttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Path traversal
EUVDB-ID: #VU16544
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-16874
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct a directory traversal attack on the target system.
The vulnerability exists in the go get command due to path traversal attack when the affected software executes the go get command with the import path of a Go package that contains curly braces. A remote unauthenticated attacker can execute the go get command, trick the victim into accessing a Go package that submits malicious input, conduct a directory traversal attack, which the attacker can use to execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages.
SUSE Linux: 15
External linkshttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU16546
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-16875
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists on Go TLS servers accepting client certificates and TLS clients due to the crypto/x509 package does not limit the amount of work performed for each chain verification. A remote unauthenticated attacker can craft pathological inputs leading to a CPU denial of service.
MitigationUpdate the affected packages.
SUSE Linux: 15
External linkshttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Privilege escalation
EUVDB-ID: #VU17474
Risk: Medium
CVSSv3.1: 7.6 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID: CVE-2019-5736
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges.
The weakness exists in the runc container runtime due to file-descriptor mishandling, related to /proc/self/exe. A remote attacker can leverage the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec, overwrite the host runc binary with minimal user interaction and execute arbitrary code with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages.
SUSE Linux: 15
External linkshttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
5) Resource exhaustion
EUVDB-ID: #VU17245
Risk: Low
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-6486
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The vulnerability exists in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves due to insufficient validation of user-supplied input. A remote attacker can submit specially crafted inputs via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures, consume excessive amounts of CPU and cause the service to crash.
MitigationUpdate the affected packages.
SUSE Linux: 15
External linkshttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
