FERRAMENTAS LINUX: Critical Linux Kernel Security Update: Live Patch 4 for SLE 15 SP6 (CVE Fixes & Installation Guide)

sábado, 14 de junho de 2025

Critical Linux Kernel Security Update: Live Patch 4 for SLE 15 SP6 (CVE Fixes & Installation Guide)

 

SUSE


SUSE releases critical Linux Kernel Live Patch 4 for SLE 15 SP6, fixing 4 high-risk vulnerabilities (CVE-2024-49855, CVE-2025-21680, CVE-2024-58013, CVE-2024-57996). Learn how to secure your enterprise systems with this urgent update, including patch commands, CVSS scores, and affected products.


Why This Update Matters for Enterprise Security

The Linux Kernel Live Patch 4 for SLE 15 SP6 addresses four high-severity vulnerabilities (rated important by SUSE) that could expose systems to privilege escalation, memory corruption, and denial-of-service attacks. This update is critical for:

  • System administrators managing SUSE Linux Enterprise servers

  • DevOps teams ensuring compliance and uptime

  • Cybersecurity professionals mitigating zero-day risks

Vulnerabilities Patched in This Update

1. CVE-2024-49855: Race Condition in NBD (Network Block Device)

  • CVSS 7.3 (SUSE 4.0) | 7.0 (NVD 3.1)

  • Risk: Local attackers could exploit a race condition between timeout and completion in the NBD driver, leading to arbitrary code execution.

  • Fix: Kernel patch resolves timing flaws in I/O handling.

2. CVE-2025-21680: Out-of-Bounds Access in pktgen

  • CVSS 8.5 (SUSE 4.0) | 7.8 (NVD 3.1)

  • Risk: Memory corruption via malformed packet generation, enabling kernel crashes or privilege escalation.

  • Fix: Boundary checks added to get_imix_entries().

3. CVE-2024-58013: Bluetooth MGMT Use-After-Free

  • CVSS 7.0 (SUSE 4.0) | 7.8 (NVD 3.1)

  • Risk: Slab-use-after-free in Bluetooth management allows remote attackers to crash systems or leak data.

  • Fix: Memory handling corrected in mgmt_remove_adv_monitor_sync().

4. CVE-2024-57996: sch_sfq Packet Limit Vulnerability

  • CVSS 8.5 (SUSE 4.0) | 7.8 (NVD 3.1)

  • Risk: Denial-of-service via malformed network traffic exploiting the 1-packet limit in the SFQ scheduler.

  • Fix: Enforced minimum queue limits.

Affected Products & Patch Instructions

Systems Impacted:

  • SUSE Linux Enterprise Live Patching 15-SP6

  • SUSE Linux Enterprise Server 15 SP6 (including SAP Applications)

  • openSUSE Leap 15.6

How to Apply the Patch:

For SUSE Linux Enterprise Live Patching 15-SP6:

bash
Copy
Download
zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP6-2025-1931=1 SUSE-SLE-Module-Live-Patching-15-SP6-2025-1930=1

For openSUSE Leap 15.6:

bash
Copy
Download
zypper in -t patch SUSE-2025-1930=1 SUSE-2025-1931=1

Alternative Methods:

  • Use YaST Online Update for GUI-based patching.

  • Schedule patches via SUSE Manager for enterprise deployments.

Key Takeaways for Security Teams

  1. Prioritize patching—all CVEs have high exploitability (AV:L/AC:L).

  2. Monitor logs for unusual NBD or pktgen activity.

  3. Verify patches with uname -r and cross-check kernel versions.

FAQ: Linux Kernel Live Patching

Q: Can I delay this update if my systems are behind a firewall?

A: No—CVE-2025-21680 and CVE-2024-57996 are locally exploitable, making firewalls ineffective.

Q: Does this patch require a reboot?

A: No. Live patching applies fixes without restarting the kernel.

Q: Where can I report new vulnerabilities?

A: Submit to SUSE Security via Bugzilla.

Cezar Henrique at
Marcadores: Linux, Android, Segurança , , , , ,

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)