openSUSE Security Update : the Linux Kernel (openSUSE-2016-1076)

critical Nessus Plugin ID 93445

Synopsis

The remote openSUSE host is missing a security update.

Description

The openSUSE Leap 42.1 kernel was updated to 4.1.31 to receive various security and bugfixes.

The following security bugs were fixed :

- CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of unread data in pipes, which allowed local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes (bnc#970948).

- CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

- CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandled destruction of device objects, which allowed guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses (bnc#971360).

- CVE-2016-4485: The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel did not initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory by reading a message (bnc#978821).

- CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822).

- CVE-2016-4557: The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel did not properly maintain an fd data structure, which allowed local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor (bnc#979018).

- CVE-2016-4580: The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request (bnc#981267).

- CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371).

- CVE-2016-4951: The tipc_nl_publ_dump function in net/tipc/socket.c in the Linux kernel did not verify socket existence, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a dumpit operation (bnc#981058).

- CVE-2015-8787: The nf_nat_redirect_ipv4 function in net/netfilter/nf_nat_redirect.c in the Linux kernel allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by sending certain IPv4 packets to an incompletely configured interface, a related issue to CVE-2003-1604 (bnc#963931).

- CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213).

- CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879).

- CVE-2016-6828: A use after free in tcp_xmit_retransmit_queue() was fixed that could be used by local attackers to crash the kernel (bsc#994296).

- CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a 'double fetch' vulnerability (bnc#991608).

- CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bnc#986362 986365 990058).

- CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack (bnc#989152).

- CVE-2016-1237: nfsd in the Linux kernel allowed local users to bypass intended file-permission restrictions by setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c, and nfs4acl.c (bnc#986570).

The following non-security bugs were fixed :

- AF_VSOCK: Shrink the area influenced by prepare_to_wait (bsc#994520).

- KVM: arm/arm64: Handle forward time correction gracefully (bnc#974266).

- Linux 4.1.29. Refreshed patch:
patches.xen/xen3-fixup-xen Deleted patches:
patches.fixes/0001-Revert-ecryptfs-forbid-opening-files- without-mmap-ha.patch patches.fixes/0001-ecryptfs-don-t-allow-mmap-when-the-lo wer-file-system.patch patches.rpmify/Revert-mm-swap.c-flush-lru-pvecs-on-compo und-page-ar patches.rpmify/Revert-powerpc-Update-TM-user-feature-bit s-in-scan_f

- Revert 'mm/swap.c: flush lru pvecs on compound page arrival' (boo#989084).

- Revert 'powerpc: Update TM user feature bits in scan_features()'. Fix the build error of 4.1.28 on ppc.

- Revive i8042_check_power_owner() for 4.1.31 kabi fix.

- USB: OHCI: Do not mark EDs as ED_OPER if scheduling fails (bnc#987886).

- USB: validate wMaxPacketValue entries in endpoint descriptors (bnc#991665).

- Update patches.fixes/0002-nfsd-check-permissions-when-setting-A CLs.patch (bsc#986570 CVE-2016-1237).

- Update patches.fixes/0001-posix_acl-Add-set_posix_acl.patch (bsc#986570 CVE-2016-1237).

- netfilter: x_tables: fix 4.1 stable backport (bsc#989176).

- nfsd: check permissions when setting ACLs (bsc#986570).

- posix_acl: Add set_posix_acl (bsc#986570).

- ppp: defer netns reference release for ppp channel (bsc#980371).

- series.conf: Move a kABI patch to its own section

- supported.conf: enable i2c-designware driver (bsc#991110)

- tcp: enable per-socket rate limiting of all 'challenge acks' (bsc#989152).

Solution

Update the affected the Linux Kernel packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=963931

https://bugzilla.opensuse.org/show_bug.cgi?id=970948

https://bugzilla.opensuse.org/show_bug.cgi?id=971126

https://bugzilla.opensuse.org/show_bug.cgi?id=971360

https://bugzilla.opensuse.org/show_bug.cgi?id=974266

https://bugzilla.opensuse.org/show_bug.cgi?id=978821

https://bugzilla.opensuse.org/show_bug.cgi?id=978822

https://bugzilla.opensuse.org/show_bug.cgi?id=979018

https://bugzilla.opensuse.org/show_bug.cgi?id=979213

https://bugzilla.opensuse.org/show_bug.cgi?id=979879

https://bugzilla.opensuse.org/show_bug.cgi?id=980371

https://bugzilla.opensuse.org/show_bug.cgi?id=981058

https://bugzilla.opensuse.org/show_bug.cgi?id=981267

https://bugzilla.opensuse.org/show_bug.cgi?id=986362

https://bugzilla.opensuse.org/show_bug.cgi?id=986365

https://bugzilla.opensuse.org/show_bug.cgi?id=986570

https://bugzilla.opensuse.org/show_bug.cgi?id=987886

https://bugzilla.opensuse.org/show_bug.cgi?id=989084

https://bugzilla.opensuse.org/show_bug.cgi?id=989152

https://bugzilla.opensuse.org/show_bug.cgi?id=989176

https://bugzilla.opensuse.org/show_bug.cgi?id=990058

https://bugzilla.opensuse.org/show_bug.cgi?id=991110

https://bugzilla.opensuse.org/show_bug.cgi?id=991608

https://bugzilla.opensuse.org/show_bug.cgi?id=991665

https://bugzilla.opensuse.org/show_bug.cgi?id=994296

https://bugzilla.opensuse.org/show_bug.cgi?id=994520

Plugin Details

Severity: Critical

ID: 93445

File Name: openSUSE-2016-1076.nasl

Version: 2.8

Type: local

Agent: unix

Published: 9/13/2016

Updated: 1/19/2021

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:drbd-debugsource, p-cpe:/a:novell:opensuse:pcfclock-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:ipset-kmp-xen, p-cpe:/a:novell:opensuse:kernel-pae, p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource, p-cpe:/a:novell:opensuse:vhba-kmp-debugsource, p-cpe:/a:novell:opensuse:kernel-pae-base-debuginfo, p-cpe:/a:novell:opensuse:lttng-modules-kmp-default, p-cpe:/a:novell:opensuse:kernel-xen-base, p-cpe:/a:novell:opensuse:ipset-kmp-pae, p-cpe:/a:novell:opensuse:hdjmod-kmp-pv-debuginfo, p-cpe:/a:novell:opensuse:kernel-debug-debugsource, p-cpe:/a:novell:opensuse:drbd-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:kernel-ec2-base, p-cpe:/a:novell:opensuse:ipset-kmp-xen-debuginfo, p-cpe:/a:novell:opensuse:kernel-pv-debugsource, p-cpe:/a:novell:opensuse:kernel-xen, p-cpe:/a:novell:opensuse:kernel-xen-base-debuginfo, p-cpe:/a:novell:opensuse:drbd-kmp-xen-debuginfo, p-cpe:/a:novell:opensuse:kernel-obs-qa-xen, p-cpe:/a:novell:opensuse:lttng-modules-debugsource, p-cpe:/a:novell:opensuse:kernel-vanilla, p-cpe:/a:novell:opensuse:kernel-pae-base, p-cpe:/a:novell:opensuse:kernel-docs-pdf, p-cpe:/a:novell:opensuse:ipset-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:ipset-devel, p-cpe:/a:novell:opensuse:hdjmod-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:hdjmod-kmp-pae, p-cpe:/a:novell:opensuse:kernel-xen-devel, p-cpe:/a:novell:opensuse:kernel-ec2-debuginfo, p-cpe:/a:novell:opensuse:kernel-pae-debuginfo, p-cpe:/a:novell:opensuse:kernel-source, p-cpe:/a:novell:opensuse:kernel-ec2-devel, p-cpe:/a:novell:opensuse:pcfclock, p-cpe:/a:novell:opensuse:kernel-docs-html, p-cpe:/a:novell:opensuse:kernel-pv-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-xen-debugsource, p-cpe:/a:novell:opensuse:kernel-default-base, p-cpe:/a:novell:opensuse:pcfclock-kmp-pae-debuginfo, p-cpe:/a:novell:opensuse:kernel-macros, p-cpe:/a:novell:opensuse:kernel-pae-devel, p-cpe:/a:novell:opensuse:kernel-vanilla-devel, p-cpe:/a:novell:opensuse:libipset3, p-cpe:/a:novell:opensuse:drbd, p-cpe:/a:novell:opensuse:kernel-ec2-base-debuginfo, p-cpe:/a:novell:opensuse:vhba-kmp-pv-debuginfo, p-cpe:/a:novell:opensuse:ipset-debugsource, p-cpe:/a:novell:opensuse:kernel-default-debuginfo, p-cpe:/a:novell:opensuse:kernel-obs-qa, p-cpe:/a:novell:opensuse:vhba-kmp-default, p-cpe:/a:novell:opensuse:ipset-kmp-pae-debuginfo, p-cpe:/a:novell:opensuse:kernel-pae-debugsource, p-cpe:/a:novell:opensuse:kernel-debug, p-cpe:/a:novell:opensuse:hdjmod-kmp-xen, p-cpe:/a:novell:opensuse:kernel-pv-debuginfo, p-cpe:/a:novell:opensuse:vhba-kmp-pv, p-cpe:/a:novell:opensuse:kernel-debug-base, p-cpe:/a:novell:opensuse:vhba-kmp-pae, p-cpe:/a:novell:opensuse:libipset3-debuginfo, p-cpe:/a:novell:opensuse:ipset-kmp-pv, p-cpe:/a:novell:opensuse:kernel-syms, p-cpe:/a:novell:opensuse:drbd-kmp-xen, p-cpe:/a:novell:opensuse:hdjmod-kmp-pv, p-cpe:/a:novell:opensuse:ipset-kmp-default, p-cpe:/a:novell:opensuse:pcfclock-debuginfo, p-cpe:/a:novell:opensuse:kernel-pv-base, p-cpe:/a:novell:opensuse:kernel-default, p-cpe:/a:novell:opensuse:pcfclock-kmp-pv, p-cpe:/a:novell:opensuse:pcfclock-kmp-default, p-cpe:/a:novell:opensuse:hdjmod-kmp-default, p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo, p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo, p-cpe:/a:novell:opensuse:kernel-xen-debuginfo, p-cpe:/a:novell:opensuse:kernel-debug-devel, p-cpe:/a:novell:opensuse:kernel-ec2, p-cpe:/a:novell:opensuse:lttng-modules-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:vhba-kmp-xen-debuginfo, p-cpe:/a:novell:opensuse:vhba-kmp-xen, p-cpe:/a:novell:opensuse:ipset-kmp-pv-debuginfo, p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-default-devel, p-cpe:/a:novell:opensuse:pcfclock-kmp-pv-debuginfo, p-cpe:/a:novell:opensuse:kernel-debug-debuginfo, p-cpe:/a:novell:opensuse:drbd-kmp-default, p-cpe:/a:novell:opensuse:hdjmod-kmp-xen-debuginfo, p-cpe:/a:novell:opensuse:kernel-ec2-debugsource, p-cpe:/a:novell:opensuse:kernel-default-debugsource, p-cpe:/a:novell:opensuse:ipset-debuginfo, p-cpe:/a:novell:opensuse:pcfclock-kmp-pae, p-cpe:/a:novell:opensuse:kernel-devel, p-cpe:/a:novell:opensuse:vhba-kmp-default-debuginfo, cpe:/o:novell:opensuse:42.1, p-cpe:/a:novell:opensuse:hdjmod-kmp-pae-debuginfo, p-cpe:/a:novell:opensuse:hdjmod-debugsource, p-cpe:/a:novell:opensuse:kernel-obs-build, p-cpe:/a:novell:opensuse:kernel-pv, p-cpe:/a:novell:opensuse:kernel-source-vanilla, p-cpe:/a:novell:opensuse:lttng-modules-kmp-pv, p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo, p-cpe:/a:novell:opensuse:vhba-kmp-pae-debuginfo, p-cpe:/a:novell:opensuse:ipset, p-cpe:/a:novell:opensuse:lttng-modules, p-cpe:/a:novell:opensuse:kernel-pv-devel, p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource, p-cpe:/a:novell:opensuse:drbd-kmp-pv, p-cpe:/a:novell:opensuse:lttng-modules-kmp-pv-debuginfo, p-cpe:/a:novell:opensuse:pcfclock-debugsource, p-cpe:/a:novell:opensuse:drbd-kmp-pv-debuginfo

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/12/2016

Exploitable With

Metasploit (Linux BPF doubleput UAF Privilege Escalation)

Reference Information

CVE: CVE-2003-1604, CVE-2015-8787, CVE-2016-1237, CVE-2016-2847, CVE-2016-3134, CVE-2016-3156, CVE-2016-4485, CVE-2016-4486, CVE-2016-4557, CVE-2016-4569, CVE-2016-4578, CVE-2016-4580, CVE-2016-4805, CVE-2016-4951, CVE-2016-4998, CVE-2016-5696, CVE-2016-6480, CVE-2016-6828