SUSE SLES10 Security Update : kernel (SUSE-SU-2014:0832-1)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

The SUSE Linux Enterprise Server 10 SP3 LTSS received a roll up update
to fix several security and non-security issues.

The following security issues have been fixed :

CVE-2013-0343: The ipv6_create_tempaddr function in
net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly
handle problems with the generation of IPv6 temporary addresses, which
allows remote attackers to cause a denial of service (excessive
retries and address-generation outage), and consequently obtain
sensitive information, via ICMPv6 Router Advertisement (RA) messages.
(bnc#805226)

CVE-2013-2888: Multiple array index errors in
drivers/hid/hid-core.c in the Human Interface Device (HID)
subsystem in the Linux kernel through 3.11 allow physically
proximate attackers to execute arbitrary code or cause a
denial of service (heap memory corruption) via a crafted
device that provides an invalid Report ID. (bnc#835839)

CVE-2013-2893: The Human Interface Device (HID) subsystem in
the Linux kernel through 3.11, when CONFIG_LOGITECH_FF,
CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled,
allows physically proximate attackers to cause a denial of
service (heap-based out-of-bounds write) via a crafted
device, related to (1) drivers/hid/hid-lgff.c, (2)
drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c.
(bnc#835839)

CVE-2013-2897: Multiple array index errors in
drivers/hid/hid-multitouch.c in the Human Interface Device
(HID) subsystem in the Linux kernel through 3.11, when
CONFIG_HID_MULTITOUCH is enabled, allow physically proximate
attackers to cause a denial of service (heap memory
corruption, or NULL pointer dereference and OOPS) via a
crafted device. (bnc#835839)

CVE-2013-4470: The Linux kernel before 3.12, when UDP
Fragmentation Offload (UFO) is enabled, does not properly
initialize certain data structures, which allows local users
to cause a denial of service (memory corruption and system
crash) or possibly gain privileges via a crafted application
that uses the UDP_CORK option in a setsockopt system call
and sends both short and long packets, related to the
ip_ufo_append_data function in net/ipv4/ip_output.c and the
ip6_ufo_append_data function in net/ipv6/ip6_output.c.
(bnc#847672)

CVE-2013-4483: The ipc_rcu_putref function in ipc/util.c in
the Linux kernel before 3.10 does not properly manage a
reference count, which allows local users to cause a denial
of service (memory consumption or system crash) via a
crafted application. (bnc#848321)

CVE-2013-4588: Multiple stack-based buffer overflows in
net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before
2.6.33, when CONFIG_IP_VS is used, allow local users to gain
privileges by leveraging the CAP_NET_ADMIN capability for
(1) a getsockopt system call, related to the
do_ip_vs_get_ctl function, or (2) a setsockopt system call,
related to the do_ip_vs_set_ctl function. (bnc#851095)

CVE-2013-6382: Multiple buffer underflows in the XFS
implementation in the Linux kernel through 3.12.1 allow
local users to cause a denial of service (memory corruption)
or possibly have unspecified other impact by leveraging the
CAP_SYS_ADMIN capability for a (1)
XFS_IOC_ATTRLIST_BY_HANDLE or (2)
XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted
length value, related to the xfs_attrlist_by_handle function
in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle
function in fs/xfs/xfs_ioctl32.c. (bnc#852553)

CVE-2013-6383: The aac_compat_ioctl function in
drivers/scsi/aacraid/linit.c in the Linux kernel before
3.11.8 does not require the CAP_SYS_RAWIO capability, which
allows local users to bypass intended access restrictions
via a crafted ioctl call. (bnc#852558)

CVE-2013-7263: The Linux kernel before 3.12.4 updates
certain length values before ensuring that associated data
structures have been initialized, which allows local users
to obtain sensitive information from kernel stack memory via
a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call,
related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c,
net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643)

CVE-2013-7264: The l2tp_ip_recvmsg function in
net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates
a certain length value before ensuring that an associated
data structure has been initialized, which allows local
users to obtain sensitive information from kernel stack
memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg
system call. (bnc#857643)

CVE-2013-7265: The pn_recvmsg function in
net/phonet/datagram.c in the Linux kernel before 3.12.4
updates a certain length value before ensuring that an
associated data structure has been initialized, which allows
local users to obtain sensitive information from kernel
stack memory via a (1) recvfrom, (2) recvmmsg, or (3)
recvmsg system call. (bnc#857643)

CVE-2014-1444: The fst_get_iface function in
drivers/net/wan/farsync.c in the Linux kernel before 3.11.7
does not properly initialize a certain data structure, which
allows local users to obtain sensitive information from
kernel memory by leveraging the CAP_NET_ADMIN capability for
an SIOCWANDEV ioctl call. (bnc#858869)

CVE-2014-1445: The wanxl_ioctl function in
drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7
does not properly initialize a certain data structure, which
allows local users to obtain sensitive information from
kernel memory via an ioctl call. (bnc#858870)

CVE-2014-1446: The yam_ioctl function in
drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8
does not initialize a certain structure member, which allows
local users to obtain sensitive information from kernel
memory by leveraging the CAP_NET_ADMIN capability for an
SIOCYAMGCFG ioctl call. (bnc#858872)

CVE-2014-1737: The raw_cmd_copyin function in
drivers/block/floppy.c in the Linux kernel through 3.14.3
does not properly handle error conditions during processing
of an FDRAWCMD ioctl call, which allows local users to
trigger kfree operations and gain privileges by leveraging
write access to a /dev/fd device. (bnc#875798)

CVE-2014-1738: The raw_cmd_copyout function in
drivers/block/floppy.c in the Linux kernel through 3.14.3
does not properly restrict access to certain pointers during
processing of an FDRAWCMD ioctl call, which allows local
users to obtain sensitive information from kernel heap
memory by leveraging write access to a /dev/fd device.
(bnc#875798)

The following bugs have been fixed :

- kernel: sclp console hangs (bnc#830344, LTC#95711,
bnc#860304).

- ia64: Change default PSR.ac from '1' to '0' (Fix erratum
#237) (bnc#874108).

- net: Uninline kfree_skb and allow NULL argument
(bnc#853501).

- tcp: syncookies: reduce cookie lifetime to 128 seconds
(bnc#833968).

- tcp: syncookies: reduce mss table to four values
(bnc#833968).

- udp: Fix bogus UFO packet generation (bnc#847672).

- blkdev_max_block: make private to fs/buffer.c
(bnc#820338).

- vfs: avoid 'attempt to access beyond end of device'
warnings (bnc#820338).

- vfs: fix O_DIRECT read past end of block device
(bnc#820338).

- HID: check for NULL field when setting values
(bnc#835839).

- HID: provide a helper for validating hid reports
(bnc#835839).

- dl2k: Tighten ioctl permissions (bnc#758813).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

http://www.nessus.org/u?3366e92c
http://www.nessus.org/u?992a6e07
http://www.nessus.org/u?287c54b5
http://support.novell.com/security/cve/CVE-2013-0343.html
http://support.novell.com/security/cve/CVE-2013-2888.html
http://support.novell.com/security/cve/CVE-2013-2893.html
http://support.novell.com/security/cve/CVE-2013-2897.html
http://support.novell.com/security/cve/CVE-2013-4470.html
http://support.novell.com/security/cve/CVE-2013-4483.html
http://support.novell.com/security/cve/CVE-2013-4588.html
http://support.novell.com/security/cve/CVE-2013-6382.html
http://support.novell.com/security/cve/CVE-2013-6383.html
http://support.novell.com/security/cve/CVE-2013-7263.html
http://support.novell.com/security/cve/CVE-2013-7264.html
http://support.novell.com/security/cve/CVE-2013-7265.html
http://support.novell.com/security/cve/CVE-2014-1444.html
http://support.novell.com/security/cve/CVE-2014-1445.html
http://support.novell.com/security/cve/CVE-2014-1446.html
http://support.novell.com/security/cve/CVE-2014-1737.html
http://support.novell.com/security/cve/CVE-2014-1738.html
https://bugzilla.novell.com/758813
https://bugzilla.novell.com/805226
https://bugzilla.novell.com/820338
https://bugzilla.novell.com/830344
https://bugzilla.novell.com/833968
https://bugzilla.novell.com/835839
https://bugzilla.novell.com/847672
https://bugzilla.novell.com/848321
https://bugzilla.novell.com/851095
https://bugzilla.novell.com/852553
https://bugzilla.novell.com/852558
https://bugzilla.novell.com/853501
https://bugzilla.novell.com/857643
https://bugzilla.novell.com/858869
https://bugzilla.novell.com/858870
https://bugzilla.novell.com/858872
https://bugzilla.novell.com/860304
https://bugzilla.novell.com/874108
https://bugzilla.novell.com/875798
http://www.nessus.org/u?d643af8f

Solution :

Update the affected kernel packages

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false