SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0834-1)

critical Nessus Plugin ID 108705

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The SUSE Linux Enterprise 12 kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

- CVE-2018-1068: Fixed flaw in the implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory (bnc#1085107).

- CVE-2017-18221: The __munlock_pagevec function allowed local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall system calls (bnc#1084323).

- CVE-2018-1066: Prevent NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response was mishandled during session recovery (bnc#1083640).

- CVE-2017-13166: Prevent elevation of privilege vulnerability in the kernel v4l2 video driver (bnc#1072865).

- CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose kernel memory addresses.
Successful exploitation required that a USB device was attached over IP (bnc#1078674).

- CVE-2017-15299: The KEYS subsystem mishandled use of add_key for a key that already exists but is uninstantiated, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call (bnc#1063416).

- CVE-2017-18208: The madvise_willneed function kernel allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494).

- CVE-2018-7566: The ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user could have reset the pool size manually via ioctl concurrently, which may have lead UAF or out-of-bound access (bsc#1083483).

- CVE-2017-18204: The ocfs2_setattr function allowed local users to cause a denial of service (deadlock) via DIO requests (bnc#1083244).

- CVE-2017-16644: The hdpvr_probe function allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118).

- CVE-2018-6927: The futex_requeue function allowed attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757).

- CVE-2017-16914: The 'stub_send_ret_submit()' function allowed attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet (bnc#1078669).

- CVE-2016-7915: The hid_input_field function allowed physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device (bnc#1010470).

- CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions did unbalanced refcounting when a SCSI I/O vector had small consecutive buffers belonging to the same page. The bio_add_pc_page function merged them into one, but the page reference was never dropped. This caused a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition (bnc#1062568).

- CVE-2017-16912: The 'get_pipe()' function allowed attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet (bnc#1078673).

- CVE-2017-16913: The 'stub_recv_cmd_submit()' function when handling CMD_SUBMIT packets allowed attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet (bnc#1078672).

- CVE-2018-5332: The rds_message_alloc_sgs() function did not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c) (bnc#1075621).

- CVE-2018-5333: The rds_cmsg_atomic function in net/rds/rdma.c mishandled cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617).

- CVE-2017-18017: The tcpmss_mangle_packet function allowed remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action (bnc#1074488).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'.

Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-2018-558=1

SUSE Linux Enterprise Module for Public Cloud 12:zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-558=1

See Also

https://bugzilla.suse.com/show_bug.cgi?id=1010470

https://bugzilla.suse.com/show_bug.cgi?id=1012382

https://bugzilla.suse.com/show_bug.cgi?id=1045330

https://bugzilla.suse.com/show_bug.cgi?id=1062568

https://bugzilla.suse.com/show_bug.cgi?id=1063416

https://bugzilla.suse.com/show_bug.cgi?id=1066001

https://bugzilla.suse.com/show_bug.cgi?id=1067118

https://bugzilla.suse.com/show_bug.cgi?id=1068032

https://bugzilla.suse.com/show_bug.cgi?id=1072689

https://bugzilla.suse.com/show_bug.cgi?id=1072865

https://bugzilla.suse.com/show_bug.cgi?id=1074488

https://bugzilla.suse.com/show_bug.cgi?id=1075617

https://bugzilla.suse.com/show_bug.cgi?id=1075621

https://bugzilla.suse.com/show_bug.cgi?id=1077560

https://bugzilla.suse.com/show_bug.cgi?id=1078669

https://bugzilla.suse.com/show_bug.cgi?id=1078672

https://bugzilla.suse.com/show_bug.cgi?id=1078673

https://bugzilla.suse.com/show_bug.cgi?id=1078674

https://bugzilla.suse.com/show_bug.cgi?id=1080255

https://bugzilla.suse.com/show_bug.cgi?id=1080464

https://bugzilla.suse.com/show_bug.cgi?id=1080757

https://bugzilla.suse.com/show_bug.cgi?id=1082299

https://bugzilla.suse.com/show_bug.cgi?id=1083244

https://bugzilla.suse.com/show_bug.cgi?id=1083483

https://bugzilla.suse.com/show_bug.cgi?id=1083494

https://bugzilla.suse.com/show_bug.cgi?id=1083640

https://bugzilla.suse.com/show_bug.cgi?id=1084323

https://bugzilla.suse.com/show_bug.cgi?id=1085107

https://bugzilla.suse.com/show_bug.cgi?id=1085114

https://bugzilla.suse.com/show_bug.cgi?id=1085279

https://bugzilla.suse.com/show_bug.cgi?id=1085447

https://www.suse.com/security/cve/CVE-2016-7915/

https://www.suse.com/security/cve/CVE-2017-12190/

https://www.suse.com/security/cve/CVE-2017-13166/

https://www.suse.com/security/cve/CVE-2017-15299/

https://www.suse.com/security/cve/CVE-2017-16644/

https://www.suse.com/security/cve/CVE-2017-16911/

https://www.suse.com/security/cve/CVE-2017-16912/

https://www.suse.com/security/cve/CVE-2017-16913/

https://www.suse.com/security/cve/CVE-2017-16914/

https://www.suse.com/security/cve/CVE-2017-18017/

https://www.suse.com/security/cve/CVE-2017-18204/

https://www.suse.com/security/cve/CVE-2017-18208/

https://www.suse.com/security/cve/CVE-2017-18221/

https://www.suse.com/security/cve/CVE-2018-1066/

https://www.suse.com/security/cve/CVE-2018-1068/

https://www.suse.com/security/cve/CVE-2018-5332/

https://www.suse.com/security/cve/CVE-2018-5333/

https://www.suse.com/security/cve/CVE-2018-6927/

https://www.suse.com/security/cve/CVE-2018-7566/

http://www.nessus.org/u?76c44bec

Plugin Details

Severity: Critical

ID: 108705

File Name: suse_SU-2018-0834-1.nasl

Version: 1.5

Type: local

Agent: unix

Published: 3/29/2018

Updated: 1/23/2020

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:kernel-default, p-cpe:/a:novell:suse_linux:kernel-default-base, p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo, p-cpe:/a:novell:suse_linux:kernel-default-debuginfo, p-cpe:/a:novell:suse_linux:kernel-default-debugsource, p-cpe:/a:novell:suse_linux:kernel-default-devel, p-cpe:/a:novell:suse_linux:kernel-default-man, p-cpe:/a:novell:suse_linux:kernel-syms, p-cpe:/a:novell:suse_linux:kernel-xen, p-cpe:/a:novell:suse_linux:kernel-xen-base, p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo, p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo, p-cpe:/a:novell:suse_linux:kernel-xen-debugsource, p-cpe:/a:novell:suse_linux:kernel-xen-devel, p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_125-default, p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_125-xen, cpe:/o:novell:suse_linux:12

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 3/28/2018

Vulnerability Publication Date: 11/16/2016

Exploitable With

Metasploit (Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation)

Reference Information

CVE: CVE-2016-7915, CVE-2017-12190, CVE-2017-13166, CVE-2017-15299, CVE-2017-16644, CVE-2017-16911, CVE-2017-16912, CVE-2017-16913, CVE-2017-16914, CVE-2017-18017, CVE-2017-18204, CVE-2017-18208, CVE-2017-18221, CVE-2018-1066, CVE-2018-1068, CVE-2018-5332, CVE-2018-5333, CVE-2018-6927, CVE-2018-7566