Detections
Analytics
openSUSE Security Update : the Linux Kernel (openSUSE-2016-753)
critical Nessus Plugin ID 91736
Language:
Synopsis
The remote openSUSE host is missing a security update.Description
The openSUSE Leap 42.1 kernel was updated to 4.1.26 to receive various security and bugfixes.The following security bugs were fixed :
- CVE-2016-1583: Prevent the usage of mmap when the lower file system does not allow it. This could have lead to local privilege escalation when ecryptfs-utils was installed and /sbin/mount.ecryptfs_private was setuid (bsc#983143).
- CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relies on the write system call, which allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface.
(bsc#979548)
- CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions. (bsc#980371).
- CVE-2016-4951: The tipc_nl_publ_dump function in net/tipc/socket.c in the Linux kernel did not verify socket existence, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a dumpit operation. (bsc#981058).
- CVE-2016-5244: An information leak vulnerability in function rds_inc_info_copy of file net/rds/recv.c was fixed that might have leaked kernel stack data.
(bsc#983213).
- CVE-2016-4580: The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.
(bsc#981267).
- CVE-2016-0758: Tags with indefinite length could have corrupted pointers in asn1_find_indefinite_length (bsc#979867).
- CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762).
- CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel allowed local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls (bnc#955654).
- CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126).
- CVE-2016-3672: The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel did not properly randomize the legacy base address, which made it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits (bnc#974308).
- CVE-2016-4482: A kernel information leak in the usbfs devio connectinfo was fixed, which could expose kernel stack memory to userspace. (bnc#978401).
- CVE-2016-4485: A kernel information leak in llc was fixed (bsc#978821).
- CVE-2016-4486: A kernel information leak in rtnetlink was fixed, where 4 uninitialized bytes could leak to userspace (bsc#978822).
- CVE-2016-4557: A use-after-free via double-fdput in replace_map_fd_with_map_ptr() was fixed, which could allow privilege escalation (bsc#979018).
- CVE-2016-4565: When the 'rdma_ucm' infiniband module is loaded, local attackers could escalate their privileges (bsc#979548).
- CVE-2016-4569: A kernel information leak in the ALSA timer via events via snd_timer_user_tinterrupt that could leak information to userspace was fixed (bsc#979213).
- CVE-2016-4578: A kernel information leak in the ALSA timer via events that could leak information to userspace was fixed (bsc#979879).
- CVE-2016-4581: If the first propogated mount copy was being a slave it could oops the kernel (bsc#979913)
The following non-security bugs were fixed :
- ALSA: hda - Add dock support for ThinkPad X260 (boo#979278).
- ALSA: hda - Apply fix for white noise on Asus N550JV, too (boo#979278).
- ALSA: hda - Asus N750JV external subwoofer fixup (boo#979278).
- ALSA: hda - Fix broken reconfig (boo#979278).
- ALSA: hda - Fix headphone mic input on a few Dell ALC293 machines (boo#979278).
- ALSA: hda - Fix subwoofer pin on ASUS N751 and N551 (boo#979278).
- ALSA: hda - Fix white noise on Asus N750JV headphone (boo#979278).
- ALSA: hda - Fix white noise on Asus UX501VW headset (boo#979278).
- ALSA: hda/realtek - Add ALC3234 headset mode for Optiplex 9020m (boo#979278).
- ALSA: hda/realtek - New codecs support for ALC234/ALC274/ALC294 (boo#979278).
- ALSA: hda/realtek - New codec support of ALC225 (boo#979278).
- ALSA: hda/realtek - Support headset mode for ALC225 (boo#979278).
- ALSA: pcxhr: Fix missing mutex unlock (boo#979278).
- ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2) (boo#979278).
- bluetooth: fix power_on vs close race (bsc#966849).
- bluetooth: vhci: fix open_timeout vs. hdev race (bsc#971799,bsc#966849).
- bluetooth: vhci: Fix race at creating hci device (bsc#971799,bsc#966849).
- bluetooth: vhci: purge unhandled skbs (bsc#971799,bsc#966849).
- btrfs: do not use src fd for printk (bsc#980348).
- btrfs: fix crash/invalid memory access on fsync when using overlayfs (bsc#977198)
- drm: qxl: Workaround for buggy user-space (bsc#981344).
- enic: set netdev->vlan_features (bsc#966245).
- fs: add file_dentry() (bsc#977198).
- IB/IPoIB: Do not set skb truesize since using one linearskb (bsc#980657).
- input: i8042 - lower log level for 'no controller' message (bsc#945345).
- kabi: Add kabi/severities entries to ignore sound/hda/*, x509_*, efivar_validate, file_open_root and dax_fault
- kabi: Add some fixups (module, pci_dev, drm, fuse and thermal)
- kabi: file_dentry changes (bsc#977198).
- kABI fixes for 4.1.22
- mm/page_alloc.c: calculate 'available' memory in a separate function (bsc#982239).
- net: disable fragment reassembly if high_thresh is zero (bsc#970506).
- of: iommu: Silence misleading warning.
- pstore_register() error handling was wrong -- it tried to release lock before it's acquired, causing spinlock / preemption imbalance. - usb: quirk to stop runtime PM for Intel 7260 (bnc#984460).
- Revert 'usb: hub: do not clear BOS field during reset device' (boo#979728).
- usb: core: hub: hub_port_init lock controller instead of bus (bnc#978073).
- usb: preserve kABI in address0 locking (bnc#978073).
- usb: usbip: fix potential out-of-bounds write (bnc#975945).
- USB: xhci: Add broken streams quirk for Frescologic device id 1009 (bnc#982712).
- virtio_balloon: do not change memory amount visible via /proc/meminfo (bsc#982238).
- virtio_balloon: export 'available' memory to balloon statistics (bsc#982239).
Solution
Update the affected the Linux Kernel packages.See Also
https://bugzilla.opensuse.org/show_bug.cgi?id=945345
https://bugzilla.opensuse.org/show_bug.cgi?id=955654
https://bugzilla.opensuse.org/show_bug.cgi?id=963762
https://bugzilla.opensuse.org/show_bug.cgi?id=966245
https://bugzilla.opensuse.org/show_bug.cgi?id=966849
https://bugzilla.opensuse.org/show_bug.cgi?id=970506
https://bugzilla.opensuse.org/show_bug.cgi?id=971126
https://bugzilla.opensuse.org/show_bug.cgi?id=971799
https://bugzilla.opensuse.org/show_bug.cgi?id=973570
https://bugzilla.opensuse.org/show_bug.cgi?id=974308
https://bugzilla.opensuse.org/show_bug.cgi?id=975945
https://bugzilla.opensuse.org/show_bug.cgi?id=977198
https://bugzilla.opensuse.org/show_bug.cgi?id=978073
https://bugzilla.opensuse.org/show_bug.cgi?id=978401
https://bugzilla.opensuse.org/show_bug.cgi?id=978821
https://bugzilla.opensuse.org/show_bug.cgi?id=978822
https://bugzilla.opensuse.org/show_bug.cgi?id=979018
https://bugzilla.opensuse.org/show_bug.cgi?id=979213
https://bugzilla.opensuse.org/show_bug.cgi?id=979278
https://bugzilla.opensuse.org/show_bug.cgi?id=979548
https://bugzilla.opensuse.org/show_bug.cgi?id=979728
https://bugzilla.opensuse.org/show_bug.cgi?id=979867
https://bugzilla.opensuse.org/show_bug.cgi?id=979879
https://bugzilla.opensuse.org/show_bug.cgi?id=979913
https://bugzilla.opensuse.org/show_bug.cgi?id=980348
https://bugzilla.opensuse.org/show_bug.cgi?id=980371
https://bugzilla.opensuse.org/show_bug.cgi?id=980657
https://bugzilla.opensuse.org/show_bug.cgi?id=981058
https://bugzilla.opensuse.org/show_bug.cgi?id=981267
https://bugzilla.opensuse.org/show_bug.cgi?id=981344
https://bugzilla.opensuse.org/show_bug.cgi?id=982238
https://bugzilla.opensuse.org/show_bug.cgi?id=982239
https://bugzilla.opensuse.org/show_bug.cgi?id=982712
https://bugzilla.opensuse.org/show_bug.cgi?id=983143
Plugin Details
Severity: Critical
ID: 91736
File Name: openSUSE-2016-753.nasl
Version: 2.9
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 6/22/2016
Updated: 1/19/2021
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus
Risk Information
VPR
Risk Factor: High
Score: 8.9
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 8.3
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 9.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:opensuse:kernel-debug-debuginfo, p-cpe:/a:novell:opensuse:kernel-pv-base, p-cpe:/a:novell:opensuse:kernel-ec2-debugsource, p-cpe:/a:novell:opensuse:kernel-pv-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-xen-debugsource, p-cpe:/a:novell:opensuse:kernel-default-base, p-cpe:/a:novell:opensuse:kernel-pae, p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource, p-cpe:/a:novell:opensuse:kernel-default, p-cpe:/a:novell:opensuse:kernel-macros, p-cpe:/a:novell:opensuse:kernel-default-debugsource, p-cpe:/a:novell:opensuse:kernel-pae-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-pae-devel, p-cpe:/a:novell:opensuse:kernel-vanilla-devel, p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo, p-cpe:/a:novell:opensuse:kernel-xen-base, p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo, p-cpe:/a:novell:opensuse:kernel-devel, p-cpe:/a:novell:opensuse:kernel-xen-debuginfo, cpe:/o:novell:opensuse:42.1, p-cpe:/a:novell:opensuse:kernel-obs-build, p-cpe:/a:novell:opensuse:kernel-debug-devel, p-cpe:/a:novell:opensuse:kernel-debug-debugsource, p-cpe:/a:novell:opensuse:kernel-ec2, p-cpe:/a:novell:opensuse:kernel-ec2-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-ec2-base, p-cpe:/a:novell:opensuse:kernel-pv, p-cpe:/a:novell:opensuse:kernel-obs-qa, p-cpe:/a:novell:opensuse:kernel-default-debuginfo, p-cpe:/a:novell:opensuse:kernel-source-vanilla, p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-pae-debugsource, p-cpe:/a:novell:opensuse:kernel-pv-devel, p-cpe:/a:novell:opensuse:kernel-debug, p-cpe:/a:novell:opensuse:kernel-pv-debugsource, p-cpe:/a:novell:opensuse:kernel-xen, p-cpe:/a:novell:opensuse:kernel-pv-debuginfo, p-cpe:/a:novell:opensuse:kernel-xen-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-obs-qa-xen, p-cpe:/a:novell:opensuse:kernel-xen-devel, p-cpe:/a:novell:opensuse:kernel-vanilla, p-cpe:/a:novell:opensuse:kernel-pae-base, p-cpe:/a:novell:opensuse:kernel-ec2-debuginfo, p-cpe:/a:novell:opensuse:kernel-docs-pdf, p-cpe:/a:novell:opensuse:kernel-pae-debuginfo, p-cpe:/a:novell:opensuse:kernel-debug-base, p-cpe:/a:novell:opensuse:kernel-source, p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource, p-cpe:/a:novell:opensuse:kernel-ec2-devel, p-cpe:/a:novell:opensuse:kernel-syms, p-cpe:/a:novell:opensuse:kernel-default-devel, p-cpe:/a:novell:opensuse:kernel-docs-html
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 6/21/2016
Exploitable With
Metasploit (Linux BPF doubleput UAF Privilege Escalation)
Reference Information
CVE: CVE-2013-7446, CVE-2016-0758, CVE-2016-1583, CVE-2016-2053, CVE-2016-3134, CVE-2016-3672, CVE-2016-3955, CVE-2016-4482, CVE-2016-4485, CVE-2016-4486, CVE-2016-4557, CVE-2016-4565, CVE-2016-4569, CVE-2016-4578, CVE-2016-4580, CVE-2016-4581, CVE-2016-4805, CVE-2016-4951, CVE-2016-5244