SUSE SLES11 Security Update : kernel (SUSE-SU-2017:2525-1) (Stack Clash)

Critical Nessus Plugin ID 103354

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated receive various security and bugfixes. The following security bugs were fixed :

- CVE-2016-5243: The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel did not properly copy a certain string, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#983212)

- CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415)

- CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c (bsc#1030593).

- CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently could not ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003)

- CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914)

- CVE-2017-5970: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a denial of service (system crash) via (1) an application that made crafted system calls or possibly (2) IPv4 traffic with invalid IP options (bsc#1024938)

- CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bsc#1025235)

- CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024)

- CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722)

- CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly managed lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178)

- CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066)

- CVE-2017-6951: The keyring_search_aux function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the 'dead' type (bsc#1029850).

- CVE-2017-7184: The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size data after an XFRM_MSG_NEWAE update, which allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability (bsc#1030573)

- CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213)

- CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052)

- CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440)

- CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579)

- CVE-2017-7482: Several missing length checks ticket decode allowing for information leak or potentially code execution (bsc#1046107).

- CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bsc#1038879).

- CVE-2017-7533: Race condition in the fsnotify implementation in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions (bnc#1049483 1050677 ).

- CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882).

- CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bsc#1033336)

- CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability. This requires a malicious PCI Card.
(bnc#1037994).

- CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bsc#1038544).

- CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1037182).

- CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1038981).

- CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882).

- CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bsc#1039883).

- CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885).

- CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bsc#1040069).

- CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431).

- CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152).

- CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bnc#1048275).

- CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603).

- CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148).

- CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588).

- CVE-2017-1000112: Fixed a race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311).

- CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary could have overflowed the parport_nr array in the following code (bnc#1039456).

- CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation (bnc#1039354).

- CVE-2017-1000380: sound/core/timer.c in the Linux kernel was vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time (bnc#1044125).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch slessp3-kernel-source-13284=1

SUSE Linux Enterprise Server 11-EXTRA:zypper in -t patch slexsp3-kernel-source-13284=1

SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch sleposp3-kernel-source-13284=1

SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch dbgsp3-kernel-source-13284=1

To bring your system up-to-date, use 'zypper patch'.

See Also

https://bugzilla.suse.com/show_bug.cgi?id=1006919

https://bugzilla.suse.com/show_bug.cgi?id=1012422

https://bugzilla.suse.com/show_bug.cgi?id=1013862

https://bugzilla.suse.com/show_bug.cgi?id=1017143

https://bugzilla.suse.com/show_bug.cgi?id=1020229

https://bugzilla.suse.com/show_bug.cgi?id=1021256

https://bugzilla.suse.com/show_bug.cgi?id=1023051

https://bugzilla.suse.com/show_bug.cgi?id=1024938

https://bugzilla.suse.com/show_bug.cgi?id=1025013

https://bugzilla.suse.com/show_bug.cgi?id=1025235

https://bugzilla.suse.com/show_bug.cgi?id=1026024

https://bugzilla.suse.com/show_bug.cgi?id=1026722

https://bugzilla.suse.com/show_bug.cgi?id=1026914

https://bugzilla.suse.com/show_bug.cgi?id=1027066

https://bugzilla.suse.com/show_bug.cgi?id=1027101

https://bugzilla.suse.com/show_bug.cgi?id=1027178

https://bugzilla.suse.com/show_bug.cgi?id=1027179

https://bugzilla.suse.com/show_bug.cgi?id=1027406

https://bugzilla.suse.com/show_bug.cgi?id=1028415

https://bugzilla.suse.com/show_bug.cgi?id=1028880

https://bugzilla.suse.com/show_bug.cgi?id=1029212

https://bugzilla.suse.com/show_bug.cgi?id=1029850

https://bugzilla.suse.com/show_bug.cgi?id=1030213

https://bugzilla.suse.com/show_bug.cgi?id=1030573

https://bugzilla.suse.com/show_bug.cgi?id=1030575

https://bugzilla.suse.com/show_bug.cgi?id=1030593

https://bugzilla.suse.com/show_bug.cgi?id=1031003

https://bugzilla.suse.com/show_bug.cgi?id=1031052

https://bugzilla.suse.com/show_bug.cgi?id=1031440

https://bugzilla.suse.com/show_bug.cgi?id=1031481

https://bugzilla.suse.com/show_bug.cgi?id=1031579

https://bugzilla.suse.com/show_bug.cgi?id=1031660

https://bugzilla.suse.com/show_bug.cgi?id=1033287

https://bugzilla.suse.com/show_bug.cgi?id=1033336

https://bugzilla.suse.com/show_bug.cgi?id=1034670

https://bugzilla.suse.com/show_bug.cgi?id=1034838

https://bugzilla.suse.com/show_bug.cgi?id=1035576

https://bugzilla.suse.com/show_bug.cgi?id=1037182

https://bugzilla.suse.com/show_bug.cgi?id=1037183

https://bugzilla.suse.com/show_bug.cgi?id=1037994

https://bugzilla.suse.com/show_bug.cgi?id=1038544

https://bugzilla.suse.com/show_bug.cgi?id=1038564

https://bugzilla.suse.com/show_bug.cgi?id=1038879

https://bugzilla.suse.com/show_bug.cgi?id=1038883

https://bugzilla.suse.com/show_bug.cgi?id=1038981

https://bugzilla.suse.com/show_bug.cgi?id=1038982

https://bugzilla.suse.com/show_bug.cgi?id=1039349

https://bugzilla.suse.com/show_bug.cgi?id=1039354

https://bugzilla.suse.com/show_bug.cgi?id=1039456

https://bugzilla.suse.com/show_bug.cgi?id=1039594

https://bugzilla.suse.com/show_bug.cgi?id=1039882

https://bugzilla.suse.com/show_bug.cgi?id=1039883

https://bugzilla.suse.com/show_bug.cgi?id=1039885

https://bugzilla.suse.com/show_bug.cgi?id=1040069

https://bugzilla.suse.com/show_bug.cgi?id=1041431

https://bugzilla.suse.com/show_bug.cgi?id=1042364

https://bugzilla.suse.com/show_bug.cgi?id=1042863

https://bugzilla.suse.com/show_bug.cgi?id=1042892

https://bugzilla.suse.com/show_bug.cgi?id=1044125

https://bugzilla.suse.com/show_bug.cgi?id=1045416

https://bugzilla.suse.com/show_bug.cgi?id=1045487

https://bugzilla.suse.com/show_bug.cgi?id=1046107

https://bugzilla.suse.com/show_bug.cgi?id=1048232

https://bugzilla.suse.com/show_bug.cgi?id=1048275

https://bugzilla.suse.com/show_bug.cgi?id=1049483

https://bugzilla.suse.com/show_bug.cgi?id=1049603

https://bugzilla.suse.com/show_bug.cgi?id=1049882

https://bugzilla.suse.com/show_bug.cgi?id=1050677

https://bugzilla.suse.com/show_bug.cgi?id=1052311

https://bugzilla.suse.com/show_bug.cgi?id=1053148

https://bugzilla.suse.com/show_bug.cgi?id=1053152

https://bugzilla.suse.com/show_bug.cgi?id=1053760

https://bugzilla.suse.com/show_bug.cgi?id=1056588

https://bugzilla.suse.com/show_bug.cgi?id=870618

https://bugzilla.suse.com/show_bug.cgi?id=948562

https://bugzilla.suse.com/show_bug.cgi?id=957988

https://bugzilla.suse.com/show_bug.cgi?id=957990

https://bugzilla.suse.com/show_bug.cgi?id=963655

https://bugzilla.suse.com/show_bug.cgi?id=972891

https://bugzilla.suse.com/show_bug.cgi?id=979681

https://bugzilla.suse.com/show_bug.cgi?id=983212

https://bugzilla.suse.com/show_bug.cgi?id=986924

https://bugzilla.suse.com/show_bug.cgi?id=989896

https://bugzilla.suse.com/show_bug.cgi?id=999245

https://www.suse.com/security/cve/CVE-2016-10200/

https://www.suse.com/security/cve/CVE-2016-5243/

https://www.suse.com/security/cve/CVE-2017-1000112/

https://www.suse.com/security/cve/CVE-2017-1000363/

https://www.suse.com/security/cve/CVE-2017-1000365/

https://www.suse.com/security/cve/CVE-2017-1000380/

https://www.suse.com/security/cve/CVE-2017-10661/

https://www.suse.com/security/cve/CVE-2017-11176/

https://www.suse.com/security/cve/CVE-2017-11473/

https://www.suse.com/security/cve/CVE-2017-12762/

https://www.suse.com/security/cve/CVE-2017-14051/

https://www.suse.com/security/cve/CVE-2017-2647/

https://www.suse.com/security/cve/CVE-2017-2671/

https://www.suse.com/security/cve/CVE-2017-5669/

https://www.suse.com/security/cve/CVE-2017-5970/

https://www.suse.com/security/cve/CVE-2017-5986/

https://www.suse.com/security/cve/CVE-2017-6074/

https://www.suse.com/security/cve/CVE-2017-6214/

https://www.suse.com/security/cve/CVE-2017-6348/

https://www.suse.com/security/cve/CVE-2017-6353/

https://www.suse.com/security/cve/CVE-2017-6951/

https://www.suse.com/security/cve/CVE-2017-7184/

https://www.suse.com/security/cve/CVE-2017-7187/

https://www.suse.com/security/cve/CVE-2017-7261/

https://www.suse.com/security/cve/CVE-2017-7294/

https://www.suse.com/security/cve/CVE-2017-7308/

https://www.suse.com/security/cve/CVE-2017-7482/

https://www.suse.com/security/cve/CVE-2017-7487/

https://www.suse.com/security/cve/CVE-2017-7533/

https://www.suse.com/security/cve/CVE-2017-7542/

https://www.suse.com/security/cve/CVE-2017-7616/

https://www.suse.com/security/cve/CVE-2017-8831/

https://www.suse.com/security/cve/CVE-2017-8890/

https://www.suse.com/security/cve/CVE-2017-8924/

https://www.suse.com/security/cve/CVE-2017-8925/

https://www.suse.com/security/cve/CVE-2017-9074/

https://www.suse.com/security/cve/CVE-2017-9075/

https://www.suse.com/security/cve/CVE-2017-9076/

https://www.suse.com/security/cve/CVE-2017-9077/

https://www.suse.com/security/cve/CVE-2017-9242/

http://www.nessus.org/u?0c969444

Plugin Details

Severity: Critical

ID: 103354

File Name: suse_SU-2017-2525-1.nasl

Version: 3.7

Type: local

Agent: unix

Published: 2017/09/20

Updated: 2018/11/30

Dependencies: 12634

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:kernel-bigsmp, p-cpe:/a:novell:suse_linux:kernel-bigsmp-base, p-cpe:/a:novell:suse_linux:kernel-bigsmp-devel, p-cpe:/a:novell:suse_linux:kernel-default, p-cpe:/a:novell:suse_linux:kernel-default-base, p-cpe:/a:novell:suse_linux:kernel-default-devel, p-cpe:/a:novell:suse_linux:kernel-default-man, p-cpe:/a:novell:suse_linux:kernel-ec2, p-cpe:/a:novell:suse_linux:kernel-ec2-base, p-cpe:/a:novell:suse_linux:kernel-ec2-devel, p-cpe:/a:novell:suse_linux:kernel-pae, p-cpe:/a:novell:suse_linux:kernel-pae-base, p-cpe:/a:novell:suse_linux:kernel-pae-devel, p-cpe:/a:novell:suse_linux:kernel-source, p-cpe:/a:novell:suse_linux:kernel-syms, p-cpe:/a:novell:suse_linux:kernel-trace, p-cpe:/a:novell:suse_linux:kernel-trace-base, p-cpe:/a:novell:suse_linux:kernel-trace-devel, p-cpe:/a:novell:suse_linux:kernel-xen, p-cpe:/a:novell:suse_linux:kernel-xen-base, p-cpe:/a:novell:suse_linux:kernel-xen-devel, cpe:/o:novell:suse_linux:11

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2017/09/19

Exploitable With

Core Impact

Metasploit (AF_PACKET packet_set_ring Privilege Escalation)

Reference Information

CVE: CVE-2016-10200, CVE-2016-5243, CVE-2017-1000112, CVE-2017-1000363, CVE-2017-1000365, CVE-2017-1000380, CVE-2017-10661, CVE-2017-11176, CVE-2017-11473, CVE-2017-12762, CVE-2017-14051, CVE-2017-2647, CVE-2017-2671, CVE-2017-5669, CVE-2017-5970, CVE-2017-5986, CVE-2017-6074, CVE-2017-6214, CVE-2017-6348, CVE-2017-6353, CVE-2017-6951, CVE-2017-7184, CVE-2017-7187, CVE-2017-7261, CVE-2017-7294, CVE-2017-7308, CVE-2017-7482, CVE-2017-7487, CVE-2017-7533, CVE-2017-7542, CVE-2017-7616, CVE-2017-8831, CVE-2017-8890, CVE-2017-8924, CVE-2017-8925, CVE-2017-9074, CVE-2017-9075, CVE-2017-9076, CVE-2017-9077, CVE-2017-9242