FERRAMENTAS LINUX: Critical Security Update: iputils Vulnerability Patched (CVE-2025-48964)

segunda-feira, 21 de julho de 2025

Critical Security Update: iputils Vulnerability Patched (CVE-2025-48964)

 

SUSer


SUSE releases a critical security update for iputils (CVE-2025-48964) patching an integer overflow in ping statistics. Affects openSUSE Leap, SLE 15 SP6/SP7, and more. Learn patch instructions, CVSS scores, and enterprise risks.

SUSE Releases Moderate-Risk Fix for Integer Overflow in Ping Statistics

Published: July 21, 2025
Last Updated: July 22, 2025
Author: Linux Security Team

Overview of the Vulnerability

SUSE has released a critical security update for iputils, addressing CVE-2025-48964, a moderate-risk vulnerability affecting multiple Linux distributions. This flaw, an integer overflow in ping statistics via zero timestamp, could allow attackers to manipulate network diagnostics, potentially leading to denial-of-service (DoS) or data corruption.

Affected Systems

The following SUSE-based platforms require immediate patching:

  • openSUSE Leap 15.5, 15.6

  • SUSE Linux Enterprise Server 15 SP6/SP7

  • SUSE Linux Enterprise Desktop 15 SP6/SP7

  • SUSE Linux Enterprise Micro 5.5

  • SUSE Linux Enterprise Real Time 15 SP6/SP7

  • Basesystem Module 15-SP6/SP7

Technical Details & Risk Assessment

CVE-2025-48964 Explained

  • CVSS v4.0 Score: 5.3 (Moderate)

  • CVSS v3.1 Score: 5.4 (Moderate)

  • Attack Vector: Network (AV:N)

  • Impact: Low integrity/availability impact (VI:L/VA:L)

This vulnerability stems from improper handling of timestamp calculations in the ping utility, which could be exploited to trigger incorrect statistical reporting or crashes.

Why This Matters for Enterprises

  • Network Monitoring Risks: Corrupted ping data could mislead administrators during diagnostics.

  • Compliance Implications: Unpatched systems may violate security policies (e.g., ISO 27001, NIST SP 800-53).

Patch Instructions

Recommended Update Methods

  1. YaST Online Update (GUI)

  2. Command Line (zypper):

    bash
    # For openSUSE Leap 15.5:
zypper in -t patch SUSE-2025-2430=1

# For SUSE Linux Enterprise Micro 5.5:
zypper in -t patch SUSE-SLE-Micro-5.5-2025-2430=1

(Full commands for all affected systems are listed in the original advisory.)

Package Updates & Verification

After patching, verify the installed version matches:

  • iputils-20221126-150500.3.14.1 (or later)

Debug packages (iputils-debuginfoiputils-debugsource) are also updated for forensic analysis.

Additional Resources

FAQ

Q: Is this vulnerability exploitable remotely?

A: Yes, but it requires user interaction (UI:P) and has limited impact.

Q: How urgent is this patch?

A: Moderate priority—apply within standard update cycles for production systems.

Q: Are non-SUSE distributions affected?

A: Check upstream iputils maintainers for advisories.

Cezar Henrique at
Marcadores: Linux, Android, Segurança ,

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)