Synopsis
The remote SUSE host is missing one or more security updates.
Description
The SUSE Linux Enterprise Server 10 SP3 LTSS kernel received a roll up update to fix lots of moderate security issues and several bugs.
The Following security issues have been fixed :
CVE-2012-4530: The load_script function in fs/binfmt_script.c in the Linux kernel did not properly handle recursion, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.
CVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password.
CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.
CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket.
CVE-2013-2147: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel did not initialize certain data structures, which allowed local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c.
CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call.
CVE-2013-0160: The Linux kernel allowed local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device.
CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.
CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel did not properly initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVE-2013-3235: net/tipc/socket.c in the Linux kernel did not initialize a certain data structure and a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVE-2013-1827: net/dccp/ccid.h in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call.
CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory via a crafted application.
CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.
CVE-2012-6546: The ATM implementation in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.
CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation.
CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel memory via a crafted application.
CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel had an incorrect return value in certain circumstances, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument.
CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.
CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel did not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.
CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel preserved the value of the sa_restorer field across an exec operation, which made it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call.
CVE-2011-2492: The bluetooth subsystem in the Linux kernel did not properly initialize certain data structures, which allowed local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c.
CVE-2013-2206: The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel did not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic.
CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.
CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel allowed local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.
CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.
CVE-2012-4444: The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel allowed remote attackers to bypass intended network restrictions via overlapping IPv6 fragments.
CVE-2013-1928: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel on unspecified architectures lacked a certain error check, which might have allowed local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device.
CVE-2013-0871: Race condition in the ptrace functionality in the Linux kernel allowed local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death.
CVE-2013-0268: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel allowed local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c.
CVE-2012-3510: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command.
CVE-2011-4110: The user_update function in security/keys/user_defined.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and 'updating a negative key into a fully instantiated key.'
CVE-2012-2136: The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device.
CVE-2009-4020: Stack-based buffer overflow in the hfs subsystem in the Linux kernel allowed remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the hfs_readdir function in fs/hfs/dir.c.
CVE-2011-2928: The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kernel did not validate the length attribute of long symlinks, which allowed local users to cause a denial of service (incorrect pointer dereference and OOPS) by accessing a long symlink on a malformed Be filesystem.
CVE-2011-4077: Buffer overflow in the xfs_readlink function in fs/xfs/xfs_vnodeops.c in XFS in the Linux kernel, when CONFIG_XFS_DEBUG is disabled, allowed local users to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via an XFS image containing a symbolic link with a long pathname.
CVE-2011-4324: The encode_share_access function in fs/nfs/nfs4xdr.c in the Linux kernel allowed local users to cause a denial of service (BUG and system crash) by using the mknod system call with a pathname on an NFSv4 filesystem.
CVE-2011-4330: Stack-based buffer overflow in the hfs_mac2asc function in fs/hfs/trans.c in the Linux kernel allowed local users to cause a denial of service (crash) and possibly execute arbitrary code via an HFS image with a crafted len field.
CVE-2011-1172: net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.
CVE-2011-2525: The qdisc_notify function in net/sched/sch_api.c in the Linux kernel did not prevent tc_fill_qdisc function calls referencing builtin (aka CQ_F_BUILTIN) Qdisc structures, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted call.
CVE-2011-2699: The IPv6 implementation in the Linux kernel did not generate Fragment Identification values separately for each destination, which made it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets.
CVE-2011-1171: net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.
CVE-2011-1170: net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.
CVE-2011-3209: The div_long_long_rem implementation in include/asm-x86/div64.h in the Linux kernel on the x86 platform allowed local users to cause a denial of service (Divide Error Fault and panic) via a clock_gettime system call.
CVE-2011-2213: The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880.
CVE-2011-2534: Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel might have allowed local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating 0 character.
CVE-2011-2699: The IPv6 implementation in the Linux kernel did not generate Fragment Identification values separately for each destination, which made it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets.
CVE-2011-2203: The hfs_find_init function in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and Oops) by mounting an HFS file system with a malformed MDB extent record.
CVE-2009-4067: A USB string descriptor overflow in the auerwald USB driver was fixed, which could be used by physically proximate attackers to cause a kernel crash.
CVE-2011-3363: The setup_cifs_sb function in fs/cifs/connect.c in the Linux kernel did not properly handle DFS referrals, which allowed remote CIFS servers to cause a denial of service (system crash) by placing a referral at the root of a share.
CVE-2011-2484: The add_del_listener function in kernel/taskstats.c in the Linux kernel did not prevent multiple registrations of exit handlers, which allowed local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application.
CVE-2011-4132: The cleanup_journal_tail function in the Journaling Block Device (JBD) functionality in the Linux kernel allowed local users to cause a denial of service (assertion error and kernel oops) via an ext3 or ext4 image with an 'invalid log first block value.'
CVE-2010-4249: The wait_for_unix_gc function in net/unix/garbage.c in the Linux kernel before 2.6.37-rc3-next-20101125 does not properly select times for garbage collection of inflight sockets, which allows local users to cause a denial of service (system hang) via crafted use of the socketpair and sendmsg system calls for SOCK_SEQPACKET sockets.
The following bugs have been fixed :
patches.fixes/allow-executables-larger-than-2GB.patch: Allow executables larger than 2GB (bnc#836856).
cio: prevent kernel panic after unexpected I/O interrupt (bnc#649868,LTC#67975).
- cio: Add timeouts for internal IO (bnc#701550,LTC#72691). kernel: first time swap use results in heavy swapping (bnc#701550,LTC#73132).
qla2xxx: Do not be so verbose on underrun detected
patches.arch/i386-run-tsc-calibration-5-times.patch: Fix the patch, the logic was wrong (bnc#537165, bnc#826551).
xfs: Do not reclaim new inodes in xfs_sync_inodes() (bnc#770980 bnc#811752).
kbuild: Fix gcc -x syntax (bnc#773831).
e1000e: stop cleaning when we reach tx_ring->next_to_use (bnc#762825).
Fix race condition about network device name allocation (bnc#747576).
kdump: bootmem map over crash reserved region (bnc#749168, bnc#722400, bnc#742881).
tcp: fix race condition leading to premature termination of sockets in FIN_WAIT2 state and connection being reset (bnc#745760)
tcp: drop SYN+FIN messages (bnc#765102).
net/linkwatch: Handle jiffies wrap-around (bnc#740131).
patches.fixes/vm-dirty-bytes: Provide /proc/sys/vm/dirty_{background_,}bytes for tuning (bnc#727597).
ipmi: Fix deadlock in start_next_msg() (bnc#730749).
cpu-hotplug: release workqueue_mutex properly on CPU hot-remove (bnc#733407).
libiscsi: handle init task failures (bnc#721351).
NFS/sunrpc: do not use a credential with extra groups (bnc#725878).
x86_64: fix reboot hang when 'reboot=b' is passed to the kernel (bnc#721267).
nf_nat: do not add NAT extension for confirmed conntracks (bnc#709213).
xfs: fix memory reclaim recursion deadlock on locked inode buffer (bnc#699355 bnc#699354 bnc#721830).
ipmi: do not grab locks in run-to-completion mode (bnc#717421).
cciss: do not attempt to read from a write-only register (bnc#683101).
qla2xxx: Disable MSI-X initialization (bnc#693513).
Allow balance_dirty_pages to help other filesystems (bnc#709369).
- nfs: fix congestion control (bnc#709369).
- NFS: Separate metadata and page cache revalidation mechanisms (bnc#709369). knfsd: nfsd4: fix laundromat shutdown race (bnc#752556).
x87: Do not synchronize TSCs across cores if they already should be synchronized by HW (bnc#615418 bnc#609220).
reiserfs: Fix int overflow while calculating free space (bnc#795075).
af_unix: limit recursion level (bnc#656153).
bcm43xx: netlink deadlock fix (bnc#850241).
jbd: Issue cache flush after checkpointing (bnc#731770).
cfq: Fix infinite loop in cfq_preempt_queue() (bnc#724692).
Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
Solution
Update the affected kernel packages
Plugin Details
File Name: suse_SU-2013-1832-1.nasl
Agent: unix
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C
Vulnerability Information
CPE: p-cpe:/a:novell:suse_linux:kernel-debug, p-cpe:/a:novell:suse_linux:kernel-xen, p-cpe:/a:novell:suse_linux:kernel-bigsmp, p-cpe:/a:novell:suse_linux:kernel-smp, p-cpe:/a:novell:suse_linux:kernel-kdump, p-cpe:/a:novell:suse_linux:kernel-syms, p-cpe:/a:novell:suse_linux:kernel-default, p-cpe:/a:novell:suse_linux:kernel-kdumppae, cpe:/o:novell:suse_linux:10, p-cpe:/a:novell:suse_linux:kernel-xenpae, p-cpe:/a:novell:suse_linux:kernel-source, p-cpe:/a:novell:suse_linux:kernel-vmipae, p-cpe:/a:novell:suse_linux:kernel-vmi
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: Exploits are available
Patch Publication Date: 12/6/2013
Exploitable With
CANVAS (CANVAS)
Reference Information
CVE: CVE-2009-4020, CVE-2009-4067, CVE-2010-3880, CVE-2010-4249, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2203, CVE-2011-2213, CVE-2011-2484, CVE-2011-2492, CVE-2011-2494, CVE-2011-2525, CVE-2011-2534, CVE-2011-2699, CVE-2011-2928, CVE-2011-3209, CVE-2011-3363, CVE-2011-4077, CVE-2011-4110, CVE-2011-4132, CVE-2011-4324, CVE-2011-4330, CVE-2012-2136, CVE-2012-3510, CVE-2012-4444, CVE-2012-4530, CVE-2012-6537, CVE-2012-6539, CVE-2012-6540, CVE-2012-6541, CVE-2012-6542, CVE-2012-6544, CVE-2012-6545, CVE-2012-6546, CVE-2012-6547, CVE-2012-6549, CVE-2013-0160, CVE-2013-0268, CVE-2013-0871, CVE-2013-0914, CVE-2013-1827, CVE-2013-1928, CVE-2013-2141, CVE-2013-2147, CVE-2013-2164, CVE-2013-2206, CVE-2013-2232, CVE-2013-2234, CVE-2013-2237, CVE-2013-3222, CVE-2013-3223, CVE-2013-3224, CVE-2013-3228, CVE-2013-3229, CVE-2013-3231, CVE-2013-3232, CVE-2013-3234, CVE-2013-3235
BID: 44665, 45037, 46919, 46921, 48236, 48333, 48383, 48441, 48641, 48687, 48802, 49256, 49626, 50311, 50314, 50370, 50663, 50750, 50755, 50798, 53721, 55144, 55878, 56891, 57176, 57838, 57986, 58383, 58409, 58426, 58906, 58977, 58985, 58986, 58987, 58989, 58990, 58991, 58992, 58993, 58996, 59377, 59380, 59381, 59383, 59389, 59390, 59393, 59394, 59397, 60254, 60280, 60375, 60715, 60874, 60893, 60953