CVE-2019-18903: 
Linux openSUSE vulnerability analysis and mitigation

A Use After Free (UAF) vulnerability was discovered in the wicked component of SUSE Linux Enterprise Server and openSUSE systems. The vulnerability, identified as CVE-2019-18903, affects multiple versions of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15, openSUSE Leap 15.1, and openSUSE Factory. The issue was discovered in 2019 and publicly disclosed in March 2020 (NIST NVD, MITRE CVE).

The vulnerability occurs when processing DHCP6 IA_PD options. Specifically, when ni_dhcp6_option_parse_ia_pd() receives a packet with invalid times inside a DHCP6 IA_PD option, it frees the storage for the IA option but still stores it in the IA list, leading to a Use After Free condition. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NIST and 7.5 (HIGH) by SUSE, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (SUSE Bug).

The vulnerability allows remote attackers to cause a Denial of Service (DoS) condition or potentially execute arbitrary code on affected systems. The high severity rating indicates significant potential impact on the confidentiality, integrity, and availability of the affected systems (NIST NVD).

Fixed versions have been released for affected systems. Users should upgrade to the following versions: SUSE Linux Enterprise Server 12 - wicked version 0.6.60-2.18.1 or later, SUSE Linux Enterprise Server 15 - wicked version 0.6.60-28.26.1 or later, openSUSE Leap 15.1 - wicked version 0.6.60-lp151.2.9.1 or later, and openSUSE Factory - wicked version 0.6.62 or later (NIST NVD).