SUSE SLES11 Security Update : kernel (SUSE-SU-2015:1478-1)

medium Nessus Plugin ID 85764

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The SUSE Linux Enterprise Server 11 SP2 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

- CVE-2015-5707: An integer overflow in the SCSI generic driver could be potentially used by local attackers to crash the kernel or execute code.

- CVE-2015-2830: arch/x86/kernel/entry_64.S in the Linux kernel did not prevent the TS_COMPAT flag from reaching a user-mode task, which might have allowed local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrated by an attack against seccomp before 3.16 (bnc#926240).

- CVE-2015-0777: drivers/xen/usbback/usbback.c in the Linux kernel allowed guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory via unspecified vectors (bnc#917830).

- CVE-2015-2150: Xen and the Linux kernel did not properly restrict access to PCI command registers, which might have allowed local guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response (bnc#919463).

- CVE-2015-5364: A remote denial of service (hang) via UDP flood with incorrect package checksums was fixed.
(bsc#936831).

- CVE-2015-5366: A remote denial of service (unexpected error returns) via UDP flood with incorrect package checksums was fixed. (bsc#936831).

- CVE-2015-1420: CVE-2015-1420: Race condition in the handle_to_path function in fs/fhandle.c in the Linux kernel allowed local users to bypass intended size restrictions and trigger read operations on additional memory locations by changing the handle_bytes value of a file handle during the execution of this function (bnc#915517).

- CVE-2015-4700: A local user could have created a bad instruction in the JIT processed BPF code, leading to a kernel crash (bnc#935705).

- CVE-2015-1805: The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel did not properly consider the side effects of failed
__copy_to_user_inatomic and __copy_from_user_inatomic calls, which allowed local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an 'I/O vector array overrun' (bnc#933429).

- CVE-2015-3331: The __driver_rfc4106_decrypt function in arch/x86/crypto/aesni-intel_glue.c in the Linux kernel did not properly determine the memory locations used for encrypted data, which allowed context-dependent attackers to cause a denial of service (buffer overflow and system crash) or possibly execute arbitrary code by triggering a crypto API call, as demonstrated by use of a libkcapi test program with an AF_ALG(aead) socket (bnc#927257).

- CVE-2015-2922: The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel allowed remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message (bnc#922583).

- CVE-2015-2041: net/llc/sysctl_net_llc.c in the Linux kernel used an incorrect data type in a sysctl table, which allowed local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry (bnc#919007).

- CVE-2015-3636: The ping_unhash function in net/ipv4/ping.c in the Linux kernel did not initialize a certain list data structure during an unhash operation, which allowed local users to gain privileges or cause a denial of service (use-after-free and system crash) by leveraging the ability to make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocol, and then making a connect system call after a disconnect (bnc#929525).

- CVE-2014-8086: Race condition in the ext4_file_write_iter function in fs/ext4/file.c in the Linux kernel allowed local users to cause a denial of service (file unavailability) via a combination of a write action and an F_SETFL fcntl operation for the O_DIRECT flag (bnc#900881).

- CVE-2014-8159: The InfiniBand (IB) implementation in the Linux kernel did not properly restrict use of User Verbs for registration of memory regions, which allowed local users to access arbitrary physical memory locations, and consequently cause a denial of service (system crash) or gain privileges, by leveraging permissions on a uverbs device under /dev/infiniband/ (bnc#914742).

- CVE-2014-9683: Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename (bnc#918333).

- CVE-2015-2042: net/rds/sysctl.c in the Linux kernel used an incorrect data type in a sysctl table, which allowed local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry (bnc#919018).

- CVE-2015-1421: Use-after-free vulnerability in the sctp_assoc_update function in net/sctp/associola.c in the Linux kernel allowed remote attackers to cause a denial of service (slab corruption and panic) or possibly have unspecified other impact by triggering an INIT collision that leads to improper handling of shared-key data (bnc#915577).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 11-SP2-LTSS :

zypper in -t patch slessp2-kernel-20150819-12065=1

SUSE Linux Enterprise Debuginfo 11-SP2 :

zypper in -t patch dbgsp2-kernel-20150819-12065=1

To bring your system up-to-date, use 'zypper patch'.

See Also

https://bugzilla.suse.com/show_bug.cgi?id=798406

https://bugzilla.suse.com/show_bug.cgi?id=821931

https://bugzilla.suse.com/show_bug.cgi?id=860593

https://bugzilla.suse.com/show_bug.cgi?id=879878

https://bugzilla.suse.com/show_bug.cgi?id=891087

https://bugzilla.suse.com/show_bug.cgi?id=897995

https://bugzilla.suse.com/show_bug.cgi?id=898693

https://bugzilla.suse.com/show_bug.cgi?id=900881

https://bugzilla.suse.com/show_bug.cgi?id=904671

https://bugzilla.suse.com/show_bug.cgi?id=908870

https://bugzilla.suse.com/show_bug.cgi?id=909477

https://bugzilla.suse.com/show_bug.cgi?id=912916

https://bugzilla.suse.com/show_bug.cgi?id=914742

https://bugzilla.suse.com/show_bug.cgi?id=915200

https://bugzilla.suse.com/show_bug.cgi?id=915517

https://bugzilla.suse.com/show_bug.cgi?id=915577

https://bugzilla.suse.com/show_bug.cgi?id=916010

https://bugzilla.suse.com/show_bug.cgi?id=917093

https://bugzilla.suse.com/show_bug.cgi?id=917830

https://bugzilla.suse.com/show_bug.cgi?id=918333

https://bugzilla.suse.com/show_bug.cgi?id=919007

https://bugzilla.suse.com/show_bug.cgi?id=919018

https://bugzilla.suse.com/show_bug.cgi?id=919463

https://bugzilla.suse.com/show_bug.cgi?id=921769

https://bugzilla.suse.com/show_bug.cgi?id=922583

https://bugzilla.suse.com/show_bug.cgi?id=923245

https://bugzilla.suse.com/show_bug.cgi?id=926240

https://bugzilla.suse.com/show_bug.cgi?id=927257

https://bugzilla.suse.com/show_bug.cgi?id=928801

https://bugzilla.suse.com/show_bug.cgi?id=929148

https://bugzilla.suse.com/show_bug.cgi?id=929283

https://bugzilla.suse.com/show_bug.cgi?id=929360

https://bugzilla.suse.com/show_bug.cgi?id=929525

https://bugzilla.suse.com/show_bug.cgi?id=930284

https://bugzilla.suse.com/show_bug.cgi?id=930934

https://bugzilla.suse.com/show_bug.cgi?id=931474

https://bugzilla.suse.com/show_bug.cgi?id=933429

https://bugzilla.suse.com/show_bug.cgi?id=935705

https://bugzilla.suse.com/show_bug.cgi?id=936831

https://bugzilla.suse.com/show_bug.cgi?id=937032

https://bugzilla.suse.com/show_bug.cgi?id=937986

https://bugzilla.suse.com/show_bug.cgi?id=940338

https://bugzilla.suse.com/show_bug.cgi?id=940398

https://www.suse.com/security/cve/CVE-2014-8086/

https://www.suse.com/security/cve/CVE-2014-8159/

https://www.suse.com/security/cve/CVE-2014-9683/

https://www.suse.com/security/cve/CVE-2015-0777/

https://www.suse.com/security/cve/CVE-2015-1420/

https://www.suse.com/security/cve/CVE-2015-1421/

https://www.suse.com/security/cve/CVE-2015-1805/

https://www.suse.com/security/cve/CVE-2015-2041/

https://www.suse.com/security/cve/CVE-2015-2042/

https://www.suse.com/security/cve/CVE-2015-2150/

https://www.suse.com/security/cve/CVE-2015-2830/

https://www.suse.com/security/cve/CVE-2015-2922/

https://www.suse.com/security/cve/CVE-2015-3331/

https://www.suse.com/security/cve/CVE-2015-3636/

https://www.suse.com/security/cve/CVE-2015-4700/

https://www.suse.com/security/cve/CVE-2015-5364/

https://www.suse.com/security/cve/CVE-2015-5366/

https://www.suse.com/security/cve/CVE-2015-5707/

http://www.nessus.org/u?a926165a

Plugin Details

Severity: Medium

ID: 85764

File Name: suse_SU-2015-1478-1.nasl

Version: 2.11

Type: local

Agent: unix

Published: 9/3/2015

Updated: 1/19/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 4.5

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:kernel-pae, p-cpe:/a:novell:suse_linux:kernel-ec2, p-cpe:/a:novell:suse_linux:kernel-xen-devel, p-cpe:/a:novell:suse_linux:kernel-xen-base, p-cpe:/a:novell:suse_linux:kernel-pae-base, p-cpe:/a:novell:suse_linux:kernel-default-man, p-cpe:/a:novell:suse_linux:kernel-default-base, p-cpe:/a:novell:suse_linux:kernel-trace-base, cpe:/o:novell:suse_linux:11, p-cpe:/a:novell:suse_linux:kernel-ec2-base, p-cpe:/a:novell:suse_linux:kernel-ec2-devel, p-cpe:/a:novell:suse_linux:kernel-default-devel, p-cpe:/a:novell:suse_linux:kernel-trace, p-cpe:/a:novell:suse_linux:kernel-syms, p-cpe:/a:novell:suse_linux:kernel-xen, p-cpe:/a:novell:suse_linux:kernel-trace-devel, p-cpe:/a:novell:suse_linux:kernel-default, p-cpe:/a:novell:suse_linux:kernel-source, p-cpe:/a:novell:suse_linux:kernel-pae-devel

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/21/2015

Vulnerability Publication Date: 10/13/2014

Reference Information

CVE: CVE-2014-8086, CVE-2014-8159, CVE-2014-9683, CVE-2015-0777, CVE-2015-1420, CVE-2015-1421, CVE-2015-1805, CVE-2015-2041, CVE-2015-2042, CVE-2015-2150, CVE-2015-2830, CVE-2015-2922, CVE-2015-3331, CVE-2015-3636, CVE-2015-4700, CVE-2015-5364, CVE-2015-5366, CVE-2015-5707

BID: 70376, 72356, 72357, 72643, 72729, 72730, 73014, 73060, 73699, 73921, 74235, 74315, 74450, 74951, 75356, 75510