openSUSE Security Update : the Linux Kernel (openSUSE-2017-1062) (BlueBorne)

High Nessus Plugin ID 103287

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7

Synopsis

The remote openSUSE host is missing a security update.

Description

The openSUSE Leap 42.2 kernel was updated to 4.4.87 to receive various security and bugfixes.

The following security bugs were fixed :

- CVE-2017-1000251: The native Bluetooth stack in the Linux Kernel (BlueZ) was vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space (bnc#1057389).

- CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982).

- CVE-2017-11472: The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel did not flush the operand cache and causes a kernel stack dump, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table (bnc#1049580).

- CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588).

- CVE-2017-12134: The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation (bnc#1051790 1053919).

The following non-security bugs were fixed :

- acpi / scan: Prefer devices without _HID for _ADR matching (git-fixes).

- alsa: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978) (bsc#1020657).

- alsa: hda - Implement mic-mute LED mode enum (bsc#1055013).

- alsa: hda/realtek - Add support headphone Mic for ALC221 of HP platform (bsc#1024405).

- alsa: ice1712: Add support for STAudio ADCIII (bsc#1048934).

- alsa: usb-audio: Apply sample rate quirk to Sennheiser headset (bsc#1052580).

- Add 'shutdown' to 'struct class' (bsc#1053117).

- bluetooth: bnep: fix possible might sleep error in bnep_session (bsc#1031784).

- bluetooth: cmtp: fix possible might sleep error in cmtp_session (bsc#1031784).

- btrfs: fix early ENOSPC due to delalloc (bsc#1049226).

- nfs: flush data when locking a file to ensure cache coherence for mmap (bsc#981309).

- Revert '/proc/iomem: only expose physical resource addresses to privileged users' (kabi).

- Revert 'Make file credentials available to the seqfile interfaces' (kabi).

- usb: core: fix device node leak (bsc#1047487).

- Update patches.drivers/tpm-141-fix-RC-value-check-in-tpm2_seal_ trusted.patch (bsc#1020645, fate#321435, fate#321507, fate#321600, bsc#1034048, git-fixes 5ca4c20cfd37).

- bnxt: add a missing rcu synchronization (bnc#1038583).

- bnxt: do not busy-poll when link is down (bnc#1038583).

- bnxt_en: Enable MRU enables bit when configuring VNIC MRU (bnc#1038583).

- bnxt_en: Fix 'uninitialized variable' bug in TPA code path (bnc#1038583).

- bnxt_en: Fix NULL pointer dereference in a failure path during open (bnc#1038583).

- bnxt_en: Fix NULL pointer dereference in reopen failure path (bnc#1038583).

- bnxt_en: Fix TX push operation on ARM64 (bnc#1038583).

- bnxt_en: Fix VF virtual link state (bnc#1038583).

- bnxt_en: Fix a VXLAN vs GENEVE issue (bnc#1038583).

- bnxt_en: Fix and clarify link_info->advertising (bnc#1038583).

- bnxt_en: Fix ring arithmetic in bnxt_setup_tc() (bnc#1038583).

- bnxt_en: Pad TX packets below 52 bytes (bnc#1038583).

- bnxt_en: Refactor TPA code path (bnc#1038583).

- bnxt_en: fix pci cleanup in bnxt_init_one() failure path (bnc#1038583).

- bnxt_en: initialize rc to zero to avoid returning garbage (bnc#1038583).

- ceph: fix readpage from fscache (bsc#1057015).

- cxgb4: Fix stack out-of-bounds read due to wrong size to t4_record_mbox() (bsc#1021424 bsc#1022743).

- drivers: net: xgene: Fix wrong logical operation (bsc#1056827).

- drm/vmwgfx: Limit max desktop dimensions to 8Kx8K (bsc#1048155).

- fuse: initialize the flock flag in fuse_file on allocation (git-fixes).

- gfs2: Do not clear SGID when inheriting ACLs (bsc#1012829).

- ibmvnic: Clean up resources on probe failure (fate#323285, bsc#1058116).

- iwlwifi: missing error code in iwl_trans_pcie_alloc() (bsc#1031717).

- iwlwifi: mvm: do not send CTDP commands via debugfs if not supported (bsc#1031717).

- kernel/*: switch to memdup_user_nul() (bsc#1048893).

- lib: test_rhashtable: Fix KASAN warning (bsc#1055359).

- lib: test_rhashtable: fix for large entry counts (bsc#1055359).

- lightnvm: remove unused rq parameter of nvme_nvm_rqtocmd() to kill warning (FATE#319466).

- md/raid5: fix a race condition in stripe batch (linux-stable).

- mm, madvise: ensure poisoned pages are removed from per-cpu lists (VM hw poison -- git fixes).

- mm/page_alloc.c: apply gfp_allowed_mask before the first allocation attempt (bnc#971975 VM -- git fixes).

- mptsas: Fixup device hotplug for VMware ESXi (bsc#1030850).

- netfilter: fix IS_ERR_VALUE usage (bsc#1052888).

- netfilter: x_tables: pack percpu counter allocations (bsc#1052888).

- netfilter: x_tables: pass xt_counters struct instead of packet counter (bsc#1052888).

- netfilter: x_tables: pass xt_counters struct to counter allocator (bsc#1052888).

- new helper: memdup_user_nul() (bsc#1048893).

- of: fix '/cpus' reference leak in of_numa_parse_cpu_nodes() (bsc#1056827).

- ovl: fix dentry leak for default_permissions (bsc#1054084).

- percpu_ref: allow operation mode switching operations to be called concurrently (bsc#1055096).

- percpu_ref: remove unnecessary RCU grace period for staggered atomic switching confirmation (bsc#1055096).

- percpu_ref: reorganize __percpu_ref_switch_to_atomic() and relocate percpu_ref_switch_to_atomic() (bsc#1055096).

- percpu_ref: restructure operation mode switching (bsc#1055096).

- percpu_ref: unify staggered atomic switching wait behavior (bsc#1055096).

- rtnetlink: fix rtnl_vfinfo_size (bsc#1056261).

- s390: export symbols for crash-kmp (bsc#1053915).

- supported.conf: clear mistaken external support flag for cifs.ko (bsc#1053802).

- sysctl: fix lax sysctl_check_table() sanity check (bsc#1048893).

- sysctl: fold sysctl_writes_strict checks into helper (bsc#1048893).

- sysctl: kdoc'ify sysctl_writes_strict (bsc#1048893).

- sysctl: simplify unsigned int support (bsc#1048893).

- tpm: Issue a TPM2_Shutdown for TPM2 devices (bsc#1053117).

- tpm: KABI fix (bsc#1053117).

- tpm: fix: return rc when devm_add_action() fails (bsc#1020645, fate#321435, fate#321507, fate#321600, bsc#1034048, git-fixes 8e0ee3c9faed).

- tpm: read burstcount from TPM_STS in one 32-bit transaction (bsc#1020645, fate#321435, fate#321507, fate#321600, bsc#1034048, git-fixes 27084efee0c3).

- tpm_tis_core: Choose appropriate timeout for reading burstcount (bsc#1020645, fate#321435, fate#321507, fate#321600, bsc#1034048, git-fixes aec04cbdf723).

- tpm_tis_core: convert max timeouts from msec to jiffies (bsc#1020645, fate#321435, fate#321507, fate#321600, bsc#1034048, git-fixes aec04cbdf723).

- tty: serial: msm: Support more bauds (git-fixes).

- ubifs: Correctly evict xattr inodes (bsc#1012829).

- ubifs: Do not leak kernel memory to the MTD (bsc#1012829).

- xfs: fix inobt inode allocation search optimization (bsc#1012829).

Solution

Update the affected the Linux Kernel packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1012829

https://bugzilla.opensuse.org/show_bug.cgi?id=1020645

https://bugzilla.opensuse.org/show_bug.cgi?id=1020657

https://bugzilla.opensuse.org/show_bug.cgi?id=1021424

https://bugzilla.opensuse.org/show_bug.cgi?id=1022743

https://bugzilla.opensuse.org/show_bug.cgi?id=1024405

https://bugzilla.opensuse.org/show_bug.cgi?id=1030850

https://bugzilla.opensuse.org/show_bug.cgi?id=1031717

https://bugzilla.opensuse.org/show_bug.cgi?id=1031784

https://bugzilla.opensuse.org/show_bug.cgi?id=1034048

https://bugzilla.opensuse.org/show_bug.cgi?id=1038583

https://bugzilla.opensuse.org/show_bug.cgi?id=1047487

https://bugzilla.opensuse.org/show_bug.cgi?id=1048155

https://bugzilla.opensuse.org/show_bug.cgi?id=1048893

https://bugzilla.opensuse.org/show_bug.cgi?id=1048934

https://bugzilla.opensuse.org/show_bug.cgi?id=1049226

https://bugzilla.opensuse.org/show_bug.cgi?id=1049580

https://bugzilla.opensuse.org/show_bug.cgi?id=1051790

https://bugzilla.opensuse.org/show_bug.cgi?id=1052580

https://bugzilla.opensuse.org/show_bug.cgi?id=1052888

https://bugzilla.opensuse.org/show_bug.cgi?id=1053117

https://bugzilla.opensuse.org/show_bug.cgi?id=1053802

https://bugzilla.opensuse.org/show_bug.cgi?id=1053915

https://bugzilla.opensuse.org/show_bug.cgi?id=1053919

https://bugzilla.opensuse.org/show_bug.cgi?id=1054084

https://bugzilla.opensuse.org/show_bug.cgi?id=1055013

https://bugzilla.opensuse.org/show_bug.cgi?id=1055096

https://bugzilla.opensuse.org/show_bug.cgi?id=1055359

https://bugzilla.opensuse.org/show_bug.cgi?id=1056261

https://bugzilla.opensuse.org/show_bug.cgi?id=1056588

https://bugzilla.opensuse.org/show_bug.cgi?id=1056827

https://bugzilla.opensuse.org/show_bug.cgi?id=1056982

https://bugzilla.opensuse.org/show_bug.cgi?id=1057015

https://bugzilla.opensuse.org/show_bug.cgi?id=1057389

https://bugzilla.opensuse.org/show_bug.cgi?id=1058116

https://bugzilla.opensuse.org/show_bug.cgi?id=971975

https://bugzilla.opensuse.org/show_bug.cgi?id=981309

Plugin Details

Severity: High

ID: 103287

File Name: openSUSE-2017-1062.nasl

Version: 3.5

Type: local

Agent: unix

Published: 2017/09/18

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS v2.0

Base Score: 8.3

Temporal Score: 6.5

Vector: CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:kernel-debug, p-cpe:/a:novell:opensuse:kernel-debug-base, p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-debug-debuginfo, p-cpe:/a:novell:opensuse:kernel-debug-debugsource, p-cpe:/a:novell:opensuse:kernel-debug-devel, p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo, p-cpe:/a:novell:opensuse:kernel-default, p-cpe:/a:novell:opensuse:kernel-default-base, p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-default-debuginfo, p-cpe:/a:novell:opensuse:kernel-default-debugsource, p-cpe:/a:novell:opensuse:kernel-default-devel, p-cpe:/a:novell:opensuse:kernel-devel, p-cpe:/a:novell:opensuse:kernel-docs-html, p-cpe:/a:novell:opensuse:kernel-docs-pdf, p-cpe:/a:novell:opensuse:kernel-macros, p-cpe:/a:novell:opensuse:kernel-obs-build, p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource, p-cpe:/a:novell:opensuse:kernel-obs-qa, p-cpe:/a:novell:opensuse:kernel-source, p-cpe:/a:novell:opensuse:kernel-source-vanilla, p-cpe:/a:novell:opensuse:kernel-syms, p-cpe:/a:novell:opensuse:kernel-vanilla, p-cpe:/a:novell:opensuse:kernel-vanilla-base, p-cpe:/a:novell:opensuse:kernel-vanilla-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo, p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource, p-cpe:/a:novell:opensuse:kernel-vanilla-devel, cpe:/o:novell:opensuse:42.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2017/09/15

Reference Information

CVE: CVE-2017-1000251, CVE-2017-11472, CVE-2017-12134, CVE-2017-14051, CVE-2017-14106