SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3249-1) (Dirty COW)

High Nessus Plugin ID 105150

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The SUSE Linux Enterprise 12 kernel was updated to 3.12.61 to receive various security and bugfixes. The following security bugs were fixed :

- CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bnc#1069702 1069708).

- CVE-2017-1000405: The Linux Kernel had a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() could be reached by get_user_pages(). In such case, the pmd would become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd could become dirty without going through a COW cycle. This bug was not as severe as the original 'Dirty cow' because an ext4 file (or any other regular file) could not be mapped using THP. Nevertheless, it did allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files could be overwritten (since their mapping could be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp (bnc#1069496 1070307).

- CVE-2017-16649: The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel allowed local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067085).

- CVE-2014-0038: The compat_sys_recvmmsg function in net/compat.c in the Linux kernel, when CONFIG_X86_X32 is enabled, allowed local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter (bnc#860993).

- CVE-2017-16650: The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel allowed local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067086).

- CVE-2017-16535: The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066700).

- CVE-2017-15102: The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel allowed local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference (bnc#1066705).

- CVE-2017-16531: drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor (bnc#1066671).

- CVE-2017-12193: The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel mishandled node splitting, which allowed local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations (bnc#1066192).

- CVE-2017-16529: The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066650).

- CVE-2017-16525: The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup (bnc#1066618).

- CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066573).

- CVE-2017-16536: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066606).

- CVE-2017-16527: sound/usb/mixer.c in the Linux kernel allowed local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066625).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-2017-2024=1

SUSE Linux Enterprise Module for Public Cloud 12:zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2017-2024=1

To bring your system up-to-date, use 'zypper patch'.

See Also

https://bugzilla.suse.com/show_bug.cgi?id=1043652

https://bugzilla.suse.com/show_bug.cgi?id=1047626

https://bugzilla.suse.com/show_bug.cgi?id=1066192

https://bugzilla.suse.com/show_bug.cgi?id=1066471

https://bugzilla.suse.com/show_bug.cgi?id=1066472

https://bugzilla.suse.com/show_bug.cgi?id=1066573

https://bugzilla.suse.com/show_bug.cgi?id=1066606

https://bugzilla.suse.com/show_bug.cgi?id=1066618

https://bugzilla.suse.com/show_bug.cgi?id=1066625

https://bugzilla.suse.com/show_bug.cgi?id=1066650

https://bugzilla.suse.com/show_bug.cgi?id=1066671

https://bugzilla.suse.com/show_bug.cgi?id=1066700

https://bugzilla.suse.com/show_bug.cgi?id=1066705

https://bugzilla.suse.com/show_bug.cgi?id=1067085

https://bugzilla.suse.com/show_bug.cgi?id=1067086

https://bugzilla.suse.com/show_bug.cgi?id=1067997

https://bugzilla.suse.com/show_bug.cgi?id=1069496

https://bugzilla.suse.com/show_bug.cgi?id=1069702

https://bugzilla.suse.com/show_bug.cgi?id=1069708

https://bugzilla.suse.com/show_bug.cgi?id=1070307

https://bugzilla.suse.com/show_bug.cgi?id=1070781

https://bugzilla.suse.com/show_bug.cgi?id=860993

https://www.suse.com/security/cve/CVE-2014-0038/

https://www.suse.com/security/cve/CVE-2017-1000405/

https://www.suse.com/security/cve/CVE-2017-12193/

https://www.suse.com/security/cve/CVE-2017-15102/

https://www.suse.com/security/cve/CVE-2017-16525/

https://www.suse.com/security/cve/CVE-2017-16527/

https://www.suse.com/security/cve/CVE-2017-16529/

https://www.suse.com/security/cve/CVE-2017-16531/

https://www.suse.com/security/cve/CVE-2017-16535/

https://www.suse.com/security/cve/CVE-2017-16536/

https://www.suse.com/security/cve/CVE-2017-16537/

https://www.suse.com/security/cve/CVE-2017-16649/

https://www.suse.com/security/cve/CVE-2017-16650/

https://www.suse.com/security/cve/CVE-2017-16939/

http://www.nessus.org/u?73fbeea3

Plugin Details

Severity: High

ID: 105150

File Name: suse_SU-2017-3249-1.nasl

Version: 3.7

Type: local

Agent: unix

Published: 2017/12/11

Updated: 2018/11/30

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSS v3.0

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:kernel-default, p-cpe:/a:novell:suse_linux:kernel-default-base, p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo, p-cpe:/a:novell:suse_linux:kernel-default-debuginfo, p-cpe:/a:novell:suse_linux:kernel-default-debugsource, p-cpe:/a:novell:suse_linux:kernel-default-devel, p-cpe:/a:novell:suse_linux:kernel-default-man, p-cpe:/a:novell:suse_linux:kernel-syms, p-cpe:/a:novell:suse_linux:kernel-xen, p-cpe:/a:novell:suse_linux:kernel-xen-base, p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo, p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo, p-cpe:/a:novell:suse_linux:kernel-xen-debugsource, p-cpe:/a:novell:suse_linux:kernel-xen-devel, p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_106-default, p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_106-xen, cpe:/o:novell:suse_linux:12

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2017/12/08

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Linux Kernel recvmmsg Privilege Escalation)

Reference Information

CVE: CVE-2014-0038, CVE-2017-1000405, CVE-2017-12193, CVE-2017-15102, CVE-2017-16525, CVE-2017-16527, CVE-2017-16529, CVE-2017-16531, CVE-2017-16535, CVE-2017-16536, CVE-2017-16537, CVE-2017-16649, CVE-2017-16650, CVE-2017-16939

BID: 65255