openSUSE Security Update : the Linux Kernel (openSUSE-2016-753)

Critical Nessus Plugin ID 91736

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 7.4

Synopsis

The remote openSUSE host is missing a security update.

Description

The openSUSE Leap 42.1 kernel was updated to 4.1.26 to receive various security and bugfixes.

The following security bugs were fixed :

- CVE-2016-1583: Prevent the usage of mmap when the lower file system does not allow it. This could have lead to local privilege escalation when ecryptfs-utils was installed and /sbin/mount.ecryptfs_private was setuid (bsc#983143).

- CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relies on the write system call, which allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface.
(bsc#979548)

- CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions. (bsc#980371).

- CVE-2016-4951: The tipc_nl_publ_dump function in net/tipc/socket.c in the Linux kernel did not verify socket existence, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a dumpit operation. (bsc#981058).

- CVE-2016-5244: An information leak vulnerability in function rds_inc_info_copy of file net/rds/recv.c was fixed that might have leaked kernel stack data.
(bsc#983213).

- CVE-2016-4580: The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.
(bsc#981267).

- CVE-2016-0758: Tags with indefinite length could have corrupted pointers in asn1_find_indefinite_length (bsc#979867).

- CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762).

- CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel allowed local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls (bnc#955654).

- CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

- CVE-2016-3672: The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel did not properly randomize the legacy base address, which made it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits (bnc#974308).

- CVE-2016-4482: A kernel information leak in the usbfs devio connectinfo was fixed, which could expose kernel stack memory to userspace. (bnc#978401).

- CVE-2016-4485: A kernel information leak in llc was fixed (bsc#978821).

- CVE-2016-4486: A kernel information leak in rtnetlink was fixed, where 4 uninitialized bytes could leak to userspace (bsc#978822).

- CVE-2016-4557: A use-after-free via double-fdput in replace_map_fd_with_map_ptr() was fixed, which could allow privilege escalation (bsc#979018).

- CVE-2016-4565: When the 'rdma_ucm' infiniband module is loaded, local attackers could escalate their privileges (bsc#979548).

- CVE-2016-4569: A kernel information leak in the ALSA timer via events via snd_timer_user_tinterrupt that could leak information to userspace was fixed (bsc#979213).

- CVE-2016-4578: A kernel information leak in the ALSA timer via events that could leak information to userspace was fixed (bsc#979879).

- CVE-2016-4581: If the first propogated mount copy was being a slave it could oops the kernel (bsc#979913)

The following non-security bugs were fixed :

- ALSA: hda - Add dock support for ThinkPad X260 (boo#979278).

- ALSA: hda - Apply fix for white noise on Asus N550JV, too (boo#979278).

- ALSA: hda - Asus N750JV external subwoofer fixup (boo#979278).

- ALSA: hda - Fix broken reconfig (boo#979278).

- ALSA: hda - Fix headphone mic input on a few Dell ALC293 machines (boo#979278).

- ALSA: hda - Fix subwoofer pin on ASUS N751 and N551 (boo#979278).

- ALSA: hda - Fix white noise on Asus N750JV headphone (boo#979278).

- ALSA: hda - Fix white noise on Asus UX501VW headset (boo#979278).

- ALSA: hda/realtek - Add ALC3234 headset mode for Optiplex 9020m (boo#979278).

- ALSA: hda/realtek - New codecs support for ALC234/ALC274/ALC294 (boo#979278).

- ALSA: hda/realtek - New codec support of ALC225 (boo#979278).

- ALSA: hda/realtek - Support headset mode for ALC225 (boo#979278).

- ALSA: pcxhr: Fix missing mutex unlock (boo#979278).

- ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2) (boo#979278).

- bluetooth: fix power_on vs close race (bsc#966849).

- bluetooth: vhci: fix open_timeout vs. hdev race (bsc#971799,bsc#966849).

- bluetooth: vhci: Fix race at creating hci device (bsc#971799,bsc#966849).

- bluetooth: vhci: purge unhandled skbs (bsc#971799,bsc#966849).

- btrfs: do not use src fd for printk (bsc#980348).

- btrfs: fix crash/invalid memory access on fsync when using overlayfs (bsc#977198)

- drm: qxl: Workaround for buggy user-space (bsc#981344).

- enic: set netdev->vlan_features (bsc#966245).

- fs: add file_dentry() (bsc#977198).

- IB/IPoIB: Do not set skb truesize since using one linearskb (bsc#980657).

- input: i8042 - lower log level for 'no controller' message (bsc#945345).

- kabi: Add kabi/severities entries to ignore sound/hda/*, x509_*, efivar_validate, file_open_root and dax_fault

- kabi: Add some fixups (module, pci_dev, drm, fuse and thermal)

- kabi: file_dentry changes (bsc#977198).

- kABI fixes for 4.1.22

- mm/page_alloc.c: calculate 'available' memory in a separate function (bsc#982239).

- net: disable fragment reassembly if high_thresh is zero (bsc#970506).

- of: iommu: Silence misleading warning.

- pstore_register() error handling was wrong -- it tried to release lock before it's acquired, causing spinlock / preemption imbalance. - usb: quirk to stop runtime PM for Intel 7260 (bnc#984460).

- Revert 'usb: hub: do not clear BOS field during reset device' (boo#979728).

- usb: core: hub: hub_port_init lock controller instead of bus (bnc#978073).

- usb: preserve kABI in address0 locking (bnc#978073).

- usb: usbip: fix potential out-of-bounds write (bnc#975945).

- USB: xhci: Add broken streams quirk for Frescologic device id 1009 (bnc#982712).

- virtio_balloon: do not change memory amount visible via /proc/meminfo (bsc#982238).

- virtio_balloon: export 'available' memory to balloon statistics (bsc#982239).

Solution

Update the affected the Linux Kernel packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=945345

https://bugzilla.opensuse.org/show_bug.cgi?id=955654

https://bugzilla.opensuse.org/show_bug.cgi?id=963762

https://bugzilla.opensuse.org/show_bug.cgi?id=966245

https://bugzilla.opensuse.org/show_bug.cgi?id=966849

https://bugzilla.opensuse.org/show_bug.cgi?id=970506

https://bugzilla.opensuse.org/show_bug.cgi?id=971126

https://bugzilla.opensuse.org/show_bug.cgi?id=971799

https://bugzilla.opensuse.org/show_bug.cgi?id=973570

https://bugzilla.opensuse.org/show_bug.cgi?id=974308

https://bugzilla.opensuse.org/show_bug.cgi?id=975945

https://bugzilla.opensuse.org/show_bug.cgi?id=977198

https://bugzilla.opensuse.org/show_bug.cgi?id=978073

https://bugzilla.opensuse.org/show_bug.cgi?id=978401

https://bugzilla.opensuse.org/show_bug.cgi?id=978821

https://bugzilla.opensuse.org/show_bug.cgi?id=978822

https://bugzilla.opensuse.org/show_bug.cgi?id=979018

https://bugzilla.opensuse.org/show_bug.cgi?id=979213

https://bugzilla.opensuse.org/show_bug.cgi?id=979278

https://bugzilla.opensuse.org/show_bug.cgi?id=979548

https://bugzilla.opensuse.org/show_bug.cgi?id=979728

https://bugzilla.opensuse.org/show_bug.cgi?id=979867

https://bugzilla.opensuse.org/show_bug.cgi?id=979879

https://bugzilla.opensuse.org/show_bug.cgi?id=979913

https://bugzilla.opensuse.org/show_bug.cgi?id=980348

https://bugzilla.opensuse.org/show_bug.cgi?id=980371

https://bugzilla.opensuse.org/show_bug.cgi?id=980657

https://bugzilla.opensuse.org/show_bug.cgi?id=981058

https://bugzilla.opensuse.org/show_bug.cgi?id=981267

https://bugzilla.opensuse.org/show_bug.cgi?id=981344

https://bugzilla.opensuse.org/show_bug.cgi?id=982238

https://bugzilla.opensuse.org/show_bug.cgi?id=982239

https://bugzilla.opensuse.org/show_bug.cgi?id=982712

https://bugzilla.opensuse.org/show_bug.cgi?id=983143

https://bugzilla.opensuse.org/show_bug.cgi?id=983213

https://bugzilla.opensuse.org/show_bug.cgi?id=984460

Plugin Details

Severity: Critical

ID: 91736

File Name: openSUSE-2016-753.nasl

Version: 2.8

Type: local

Agent: unix

Published: 2016/06/22

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 7.4

CVSS v2.0

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:kernel-debug, p-cpe:/a:novell:opensuse:kernel-debug-base, p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-debug-debuginfo, p-cpe:/a:novell:opensuse:kernel-debug-debugsource, p-cpe:/a:novell:opensuse:kernel-debug-devel, p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo, p-cpe:/a:novell:opensuse:kernel-default, p-cpe:/a:novell:opensuse:kernel-default-base, p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-default-debuginfo, p-cpe:/a:novell:opensuse:kernel-default-debugsource, p-cpe:/a:novell:opensuse:kernel-default-devel, p-cpe:/a:novell:opensuse:kernel-devel, p-cpe:/a:novell:opensuse:kernel-docs-html, p-cpe:/a:novell:opensuse:kernel-docs-pdf, p-cpe:/a:novell:opensuse:kernel-ec2, p-cpe:/a:novell:opensuse:kernel-ec2-base, p-cpe:/a:novell:opensuse:kernel-ec2-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-ec2-debuginfo, p-cpe:/a:novell:opensuse:kernel-ec2-debugsource, p-cpe:/a:novell:opensuse:kernel-ec2-devel, p-cpe:/a:novell:opensuse:kernel-macros, p-cpe:/a:novell:opensuse:kernel-obs-build, p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource, p-cpe:/a:novell:opensuse:kernel-obs-qa, p-cpe:/a:novell:opensuse:kernel-obs-qa-xen, p-cpe:/a:novell:opensuse:kernel-pae, p-cpe:/a:novell:opensuse:kernel-pae-base, p-cpe:/a:novell:opensuse:kernel-pae-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-pae-debuginfo, p-cpe:/a:novell:opensuse:kernel-pae-debugsource, p-cpe:/a:novell:opensuse:kernel-pae-devel, p-cpe:/a:novell:opensuse:kernel-pv, p-cpe:/a:novell:opensuse:kernel-pv-base, p-cpe:/a:novell:opensuse:kernel-pv-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-pv-debuginfo, p-cpe:/a:novell:opensuse:kernel-pv-debugsource, p-cpe:/a:novell:opensuse:kernel-pv-devel, p-cpe:/a:novell:opensuse:kernel-source, p-cpe:/a:novell:opensuse:kernel-source-vanilla, p-cpe:/a:novell:opensuse:kernel-syms, p-cpe:/a:novell:opensuse:kernel-vanilla, p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo, p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource, p-cpe:/a:novell:opensuse:kernel-vanilla-devel, p-cpe:/a:novell:opensuse:kernel-xen, p-cpe:/a:novell:opensuse:kernel-xen-base, p-cpe:/a:novell:opensuse:kernel-xen-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-xen-debuginfo, p-cpe:/a:novell:opensuse:kernel-xen-debugsource, p-cpe:/a:novell:opensuse:kernel-xen-devel, cpe:/o:novell:opensuse:42.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/06/21

Exploitable With

Metasploit (Linux BPF doubleput UAF Privilege Escalation)

Reference Information

CVE: CVE-2013-7446, CVE-2016-0758, CVE-2016-1583, CVE-2016-2053, CVE-2016-3134, CVE-2016-3672, CVE-2016-3955, CVE-2016-4482, CVE-2016-4485, CVE-2016-4486, CVE-2016-4557, CVE-2016-4565, CVE-2016-4569, CVE-2016-4578, CVE-2016-4580, CVE-2016-4581, CVE-2016-4805, CVE-2016-4951, CVE-2016-5244