SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1183-1)

High Nessus Plugin ID 100023

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.58 to receive various security and bugfixes. Notable new/improved features :

- Improved support for Hyper-V

- Support for Matrox G200eH3

- Support for tcp_westwood The following security bugs were fixed :

- CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently could not ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003).

- CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579).

- CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440).

- CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052).

- CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213).

- CVE-2017-7374: Use-after-free vulnerability in fs/crypto/ in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely (bnc#1032006).

- CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415).

- CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that a certain destructor exists in required circumstances, which allowed local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (bnc#1027190).

- CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that made PACKET_FANOUT setsockopt system calls (bnc#1027189).

- CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066).

- CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722).

- CVE-2016-2117: The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly enables scatter/gather I/O, which allowed remote attackers to obtain sensitive information from kernel memory by reading packet data (bnc#968697).

- CVE-2017-6347: The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel had incorrect expectations about skb data layout, which allowed local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission (bnc#1027179).

- CVE-2016-9191: The cgroup offline implementation in the Linux kernel mishandled certain drain operations, which allowed local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application (bnc#1008842).

- CVE-2017-2596: The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel improperly emulated the VMXON instruction, which allowed KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references (bnc#1022785).

- CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Workstation Extension 12-SP2:zypper in -t patch SUSE-SLE-WE-12-SP2-2017-697=1

SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-697=1

SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-697=1

SUSE Linux Enterprise Server 12-SP2:zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-697=1

SUSE Linux Enterprise Live Patching 12:zypper in -t patch SUSE-SLE-Live-Patching-12-2017-697=1

SUSE Linux Enterprise High Availability 12-SP2:zypper in -t patch SUSE-SLE-HA-12-SP2-2017-697=1

SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-697=1

OpenStack Cloud Magnum Orchestration 7:zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-697=1

To bring your system up-to-date, use 'zypper patch'.

See Also

https://bugzilla.suse.com/show_bug.cgi?id=1007959

https://bugzilla.suse.com/show_bug.cgi?id=1007962

https://bugzilla.suse.com/show_bug.cgi?id=1008842

https://bugzilla.suse.com/show_bug.cgi?id=1010032

https://bugzilla.suse.com/show_bug.cgi?id=1011913

https://bugzilla.suse.com/show_bug.cgi?id=1012382

https://bugzilla.suse.com/show_bug.cgi?id=1012910

https://bugzilla.suse.com/show_bug.cgi?id=1013994

https://bugzilla.suse.com/show_bug.cgi?id=1014136

https://bugzilla.suse.com/show_bug.cgi?id=1015609

https://bugzilla.suse.com/show_bug.cgi?id=1017461

https://bugzilla.suse.com/show_bug.cgi?id=1017641

https://bugzilla.suse.com/show_bug.cgi?id=1018263

https://bugzilla.suse.com/show_bug.cgi?id=1018419

https://bugzilla.suse.com/show_bug.cgi?id=1019163

https://bugzilla.suse.com/show_bug.cgi?id=1019614

https://bugzilla.suse.com/show_bug.cgi?id=1019618

https://bugzilla.suse.com/show_bug.cgi?id=1020048

https://bugzilla.suse.com/show_bug.cgi?id=1021762

https://bugzilla.suse.com/show_bug.cgi?id=1022340

https://bugzilla.suse.com/show_bug.cgi?id=1022785

https://bugzilla.suse.com/show_bug.cgi?id=1023866

https://bugzilla.suse.com/show_bug.cgi?id=1024015

https://bugzilla.suse.com/show_bug.cgi?id=1025683

https://bugzilla.suse.com/show_bug.cgi?id=1026024

https://bugzilla.suse.com/show_bug.cgi?id=1026405

https://bugzilla.suse.com/show_bug.cgi?id=1026462

https://bugzilla.suse.com/show_bug.cgi?id=1026505

https://bugzilla.suse.com/show_bug.cgi?id=1026509

https://bugzilla.suse.com/show_bug.cgi?id=1026692

https://bugzilla.suse.com/show_bug.cgi?id=1026722

https://bugzilla.suse.com/show_bug.cgi?id=1027054

https://bugzilla.suse.com/show_bug.cgi?id=1027066

https://bugzilla.suse.com/show_bug.cgi?id=1027153

https://bugzilla.suse.com/show_bug.cgi?id=1027179

https://bugzilla.suse.com/show_bug.cgi?id=1027189

https://bugzilla.suse.com/show_bug.cgi?id=1027190

https://bugzilla.suse.com/show_bug.cgi?id=1027195

https://bugzilla.suse.com/show_bug.cgi?id=1027273

https://bugzilla.suse.com/show_bug.cgi?id=1027616

https://bugzilla.suse.com/show_bug.cgi?id=1028017

https://bugzilla.suse.com/show_bug.cgi?id=1028027

https://bugzilla.suse.com/show_bug.cgi?id=1028041

https://bugzilla.suse.com/show_bug.cgi?id=1028158

https://bugzilla.suse.com/show_bug.cgi?id=1028217

https://bugzilla.suse.com/show_bug.cgi?id=1028325

https://bugzilla.suse.com/show_bug.cgi?id=1028415

https://bugzilla.suse.com/show_bug.cgi?id=1028819

https://bugzilla.suse.com/show_bug.cgi?id=1028895

https://bugzilla.suse.com/show_bug.cgi?id=1029220

https://bugzilla.suse.com/show_bug.cgi?id=1029514

https://bugzilla.suse.com/show_bug.cgi?id=1029634

https://bugzilla.suse.com/show_bug.cgi?id=1029986

https://bugzilla.suse.com/show_bug.cgi?id=1030118

https://bugzilla.suse.com/show_bug.cgi?id=1030213

https://bugzilla.suse.com/show_bug.cgi?id=1031003

https://bugzilla.suse.com/show_bug.cgi?id=1031052

https://bugzilla.suse.com/show_bug.cgi?id=1031200

https://bugzilla.suse.com/show_bug.cgi?id=1031206

https://bugzilla.suse.com/show_bug.cgi?id=1031208

https://bugzilla.suse.com/show_bug.cgi?id=1031440

https://bugzilla.suse.com/show_bug.cgi?id=1031481

https://bugzilla.suse.com/show_bug.cgi?id=1031579

https://bugzilla.suse.com/show_bug.cgi?id=1031660

https://bugzilla.suse.com/show_bug.cgi?id=1031662

https://bugzilla.suse.com/show_bug.cgi?id=1031717

https://bugzilla.suse.com/show_bug.cgi?id=1031831

https://bugzilla.suse.com/show_bug.cgi?id=1032006

https://bugzilla.suse.com/show_bug.cgi?id=1032673

https://bugzilla.suse.com/show_bug.cgi?id=1032681

https://bugzilla.suse.com/show_bug.cgi?id=897662

https://bugzilla.suse.com/show_bug.cgi?id=951844

https://bugzilla.suse.com/show_bug.cgi?id=968697

https://bugzilla.suse.com/show_bug.cgi?id=969755

https://bugzilla.suse.com/show_bug.cgi?id=970083

https://bugzilla.suse.com/show_bug.cgi?id=977572

https://bugzilla.suse.com/show_bug.cgi?id=977860

https://bugzilla.suse.com/show_bug.cgi?id=978056

https://bugzilla.suse.com/show_bug.cgi?id=980892

https://bugzilla.suse.com/show_bug.cgi?id=981634

https://bugzilla.suse.com/show_bug.cgi?id=982783

https://bugzilla.suse.com/show_bug.cgi?id=987899

https://bugzilla.suse.com/show_bug.cgi?id=988281

https://bugzilla.suse.com/show_bug.cgi?id=991173

https://bugzilla.suse.com/show_bug.cgi?id=998106

https://www.suse.com/security/cve/CVE-2016-10200/

https://www.suse.com/security/cve/CVE-2016-2117/

https://www.suse.com/security/cve/CVE-2016-9191/

https://www.suse.com/security/cve/CVE-2017-2596/

https://www.suse.com/security/cve/CVE-2017-2671/

https://www.suse.com/security/cve/CVE-2017-6074/

https://www.suse.com/security/cve/CVE-2017-6214/

https://www.suse.com/security/cve/CVE-2017-6345/

https://www.suse.com/security/cve/CVE-2017-6346/

https://www.suse.com/security/cve/CVE-2017-6347/

https://www.suse.com/security/cve/CVE-2017-6353/

https://www.suse.com/security/cve/CVE-2017-7187/

https://www.suse.com/security/cve/CVE-2017-7261/

https://www.suse.com/security/cve/CVE-2017-7294/

https://www.suse.com/security/cve/CVE-2017-7308/

https://www.suse.com/security/cve/CVE-2017-7374/

http://www.nessus.org/u?e163b69f

Plugin Details

Severity: High

ID: 100023

File Name: suse_SU-2017-1183-1.nasl

Version: 3.10

Type: local

Agent: unix

Published: 2017/05/08

Updated: 2018/11/30

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSS v3.0

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:kernel-default, p-cpe:/a:novell:suse_linux:kernel-default-base, p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo, p-cpe:/a:novell:suse_linux:kernel-default-debuginfo, p-cpe:/a:novell:suse_linux:kernel-default-debugsource, p-cpe:/a:novell:suse_linux:kernel-default-devel, p-cpe:/a:novell:suse_linux:kernel-default-extra, p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo, p-cpe:/a:novell:suse_linux:kernel-syms, cpe:/o:novell:suse_linux:12

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2017/05/05

Exploitable With

Core Impact

Metasploit (AF_PACKET packet_set_ring Privilege Escalation)

Reference Information

CVE: CVE-2016-10200, CVE-2016-2117, CVE-2016-9191, CVE-2017-2596, CVE-2017-2671, CVE-2017-5986, CVE-2017-6074, CVE-2017-6214, CVE-2017-6345, CVE-2017-6346, CVE-2017-6347, CVE-2017-6353, CVE-2017-7187, CVE-2017-7261, CVE-2017-7294, CVE-2017-7308, CVE-2017-7374