SUSE SLES11 Security Update : kernel (SUSE-SU-2017:3265-1) (KRACK)

Critical Nessus Plugin ID 105172

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

- CVE-2017-16649: The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel allowed local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067085).

- CVE-2017-16535: The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066700).

- CVE-2017-15102: The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel allowed local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference (bnc#1066705).

- CVE-2017-16531: drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor (bnc#1066671).

- CVE-2017-16529: The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066650).

- CVE-2017-16525: The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup (bnc#1066618).

- CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066573).

- CVE-2017-16536: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066606).

- CVE-2017-16527: sound/usb/mixer.c in the Linux kernel allowed local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066625).

- CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667).

- CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192 (bnc#1045327).

- CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c (bnc#1062520).

- CVE-2017-14489: The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel allowed local users to cause a denial of service (panic) by leveraging incorrect length validation (bnc#1059051).

- CVE-2017-14340: The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux kernel did not verify that a filesystem has a realtime device, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory (bnc#1058524).

- CVE-2017-14140: The move_pages system call in mm/migrate.c in the Linux kernel doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR (bnc#1057179).

- CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588).

- CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152).

- CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148).

- CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994).

- CVE-2017-1000112: An exploitable memory corruption due to UFO to non-UFO path switch was fixed. (bnc#1052311 bnc#1052365).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t patch sdksp4-kernel-20171124-13375=1

SUSE Linux Enterprise Server 11-SP4:zypper in -t patch slessp4-kernel-20171124-13375=1

SUSE Linux Enterprise Server 11-EXTRA:zypper in -t patch slexsp3-kernel-20171124-13375=1

SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch dbgsp4-kernel-20171124-13375=1

To bring your system up-to-date, use 'zypper patch'.

See Also

https://bugzilla.suse.com/show_bug.cgi?id=1012917

https://bugzilla.suse.com/show_bug.cgi?id=1013018

https://bugzilla.suse.com/show_bug.cgi?id=1022967

https://bugzilla.suse.com/show_bug.cgi?id=1024450

https://bugzilla.suse.com/show_bug.cgi?id=1031358

https://bugzilla.suse.com/show_bug.cgi?id=1036286

https://bugzilla.suse.com/show_bug.cgi?id=1036629

https://bugzilla.suse.com/show_bug.cgi?id=1037441

https://bugzilla.suse.com/show_bug.cgi?id=1037667

https://bugzilla.suse.com/show_bug.cgi?id=1037669

https://bugzilla.suse.com/show_bug.cgi?id=1037994

https://bugzilla.suse.com/show_bug.cgi?id=1039803

https://bugzilla.suse.com/show_bug.cgi?id=1040609

https://bugzilla.suse.com/show_bug.cgi?id=1042863

https://bugzilla.suse.com/show_bug.cgi?id=1045154

https://bugzilla.suse.com/show_bug.cgi?id=1045205

https://bugzilla.suse.com/show_bug.cgi?id=1045327

https://bugzilla.suse.com/show_bug.cgi?id=1045538

https://bugzilla.suse.com/show_bug.cgi?id=1047523

https://bugzilla.suse.com/show_bug.cgi?id=1050381

https://bugzilla.suse.com/show_bug.cgi?id=1050431

https://bugzilla.suse.com/show_bug.cgi?id=1051133

https://bugzilla.suse.com/show_bug.cgi?id=1051932

https://bugzilla.suse.com/show_bug.cgi?id=1052311

https://bugzilla.suse.com/show_bug.cgi?id=1052365

https://bugzilla.suse.com/show_bug.cgi?id=1052370

https://bugzilla.suse.com/show_bug.cgi?id=1052593

https://bugzilla.suse.com/show_bug.cgi?id=1053148

https://bugzilla.suse.com/show_bug.cgi?id=1053152

https://bugzilla.suse.com/show_bug.cgi?id=1053317

https://bugzilla.suse.com/show_bug.cgi?id=1053802

https://bugzilla.suse.com/show_bug.cgi?id=1053933

https://bugzilla.suse.com/show_bug.cgi?id=1054070

https://bugzilla.suse.com/show_bug.cgi?id=1054076

https://bugzilla.suse.com/show_bug.cgi?id=1054093

https://bugzilla.suse.com/show_bug.cgi?id=1054247

https://bugzilla.suse.com/show_bug.cgi?id=1054305

https://bugzilla.suse.com/show_bug.cgi?id=1054706

https://bugzilla.suse.com/show_bug.cgi?id=1056230

https://bugzilla.suse.com/show_bug.cgi?id=1056504

https://bugzilla.suse.com/show_bug.cgi?id=1056588

https://bugzilla.suse.com/show_bug.cgi?id=1057179

https://bugzilla.suse.com/show_bug.cgi?id=1057796

https://bugzilla.suse.com/show_bug.cgi?id=1058524

https://bugzilla.suse.com/show_bug.cgi?id=1059051

https://bugzilla.suse.com/show_bug.cgi?id=1060245

https://bugzilla.suse.com/show_bug.cgi?id=1060665

https://bugzilla.suse.com/show_bug.cgi?id=1061017

https://bugzilla.suse.com/show_bug.cgi?id=1061180

https://bugzilla.suse.com/show_bug.cgi?id=1062520

https://bugzilla.suse.com/show_bug.cgi?id=1062842

https://bugzilla.suse.com/show_bug.cgi?id=1063301

https://bugzilla.suse.com/show_bug.cgi?id=1063544

https://bugzilla.suse.com/show_bug.cgi?id=1063667

https://bugzilla.suse.com/show_bug.cgi?id=1064803

https://bugzilla.suse.com/show_bug.cgi?id=1064861

https://bugzilla.suse.com/show_bug.cgi?id=1065180

https://bugzilla.suse.com/show_bug.cgi?id=1066471

https://bugzilla.suse.com/show_bug.cgi?id=1066472

https://bugzilla.suse.com/show_bug.cgi?id=1066573

https://bugzilla.suse.com/show_bug.cgi?id=1066606

https://bugzilla.suse.com/show_bug.cgi?id=1066618

https://bugzilla.suse.com/show_bug.cgi?id=1066625

https://bugzilla.suse.com/show_bug.cgi?id=1066650

https://bugzilla.suse.com/show_bug.cgi?id=1066671

https://bugzilla.suse.com/show_bug.cgi?id=1066700

https://bugzilla.suse.com/show_bug.cgi?id=1066705

https://bugzilla.suse.com/show_bug.cgi?id=1067085

https://bugzilla.suse.com/show_bug.cgi?id=1067816

https://bugzilla.suse.com/show_bug.cgi?id=1067888

https://bugzilla.suse.com/show_bug.cgi?id=909484

https://bugzilla.suse.com/show_bug.cgi?id=984530

https://bugzilla.suse.com/show_bug.cgi?id=996376

https://www.suse.com/security/cve/CVE-2017-1000112/

https://www.suse.com/security/cve/CVE-2017-10661/

https://www.suse.com/security/cve/CVE-2017-12762/

https://www.suse.com/security/cve/CVE-2017-13080/

https://www.suse.com/security/cve/CVE-2017-14051/

https://www.suse.com/security/cve/CVE-2017-14140/

https://www.suse.com/security/cve/CVE-2017-14340/

https://www.suse.com/security/cve/CVE-2017-14489/

https://www.suse.com/security/cve/CVE-2017-15102/

https://www.suse.com/security/cve/CVE-2017-15265/

https://www.suse.com/security/cve/CVE-2017-15274/

https://www.suse.com/security/cve/CVE-2017-16525/

https://www.suse.com/security/cve/CVE-2017-16527/

https://www.suse.com/security/cve/CVE-2017-16529/

https://www.suse.com/security/cve/CVE-2017-16531/

https://www.suse.com/security/cve/CVE-2017-16535/

https://www.suse.com/security/cve/CVE-2017-16536/

https://www.suse.com/security/cve/CVE-2017-16537/

https://www.suse.com/security/cve/CVE-2017-16649/

https://www.suse.com/security/cve/CVE-2017-8831/

http://www.nessus.org/u?f1e5f1fa

Plugin Details

Severity: Critical

ID: 105172

File Name: suse_SU-2017-3265-1.nasl

Version: 3.13

Type: local

Agent: unix

Published: 2017/12/12

Updated: 2018/11/30

Dependencies: 12634

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:kernel-default, p-cpe:/a:novell:suse_linux:kernel-default-base, p-cpe:/a:novell:suse_linux:kernel-default-devel, p-cpe:/a:novell:suse_linux:kernel-default-man, p-cpe:/a:novell:suse_linux:kernel-ec2, p-cpe:/a:novell:suse_linux:kernel-ec2-base, p-cpe:/a:novell:suse_linux:kernel-ec2-devel, p-cpe:/a:novell:suse_linux:kernel-pae, p-cpe:/a:novell:suse_linux:kernel-pae-base, p-cpe:/a:novell:suse_linux:kernel-pae-devel, p-cpe:/a:novell:suse_linux:kernel-source, p-cpe:/a:novell:suse_linux:kernel-syms, p-cpe:/a:novell:suse_linux:kernel-trace, p-cpe:/a:novell:suse_linux:kernel-trace-base, p-cpe:/a:novell:suse_linux:kernel-trace-devel, p-cpe:/a:novell:suse_linux:kernel-xen, p-cpe:/a:novell:suse_linux:kernel-xen-base, p-cpe:/a:novell:suse_linux:kernel-xen-devel, cpe:/o:novell:suse_linux:11

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2017/12/11

Exploitable With

Core Impact

Metasploit (Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation)

Reference Information

CVE: CVE-2017-1000112, CVE-2017-10661, CVE-2017-12192, CVE-2017-12762, CVE-2017-13080, CVE-2017-14051, CVE-2017-14140, CVE-2017-14340, CVE-2017-14489, CVE-2017-15102, CVE-2017-15265, CVE-2017-15274, CVE-2017-16525, CVE-2017-16527, CVE-2017-16529, CVE-2017-16531, CVE-2017-16535, CVE-2017-16536, CVE-2017-16537, CVE-2017-16649, CVE-2017-8831

IAVA: 2017-A-0310