SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:2105-1)

High Nessus Plugin ID 93299

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.62 to receive various security and bugfixes. The following security bugs were fixed :

- CVE-2014-9904: The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel did not properly check for an integer overflow, which allowed local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call (bnc#986811).

- CVE-2015-7833: The usbvision driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor (bnc#950998).

- CVE-2015-8551: The PCI backend driver in Xen, when running on an x86 system and using Linux as the driver domain, allowed local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XEN_PCI_OP_* operations, aka 'Linux pciback missing sanity checks (bnc#957990).

- CVE-2015-8552: The PCI backend driver in Xen, when running on an x86 system and using Linux as the driver domain, allowed local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka 'Linux pciback missing sanity checks (bnc#957990).

- CVE-2015-8845: The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms did not ensure that TM suspend mode exists before proceeding with a tm_reclaim call, which allowed local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application (bnc#975533).

- CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bnc#979867).

- CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bsc#983143).

- CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762).

- CVE-2016-3672: The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel did not properly randomize the legacy base address, which made it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits (bnc#974308).

- CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755).

- CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bsc#978401).

- CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822).

- CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relied on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548).

- CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bsc#979213).

- CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879).

- CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371).

- CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bsc#986362).

- CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bsc#986365).

- CVE-2016-5244: The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allowed remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message (bnc#983213).

- CVE-2016-5828: The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms mishandled transactional state, which allowed local users to cause a denial of service (invalid process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by starting and suspending a transaction an exec system call (bsc#986569).

- CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Workstation Extension 12-SP1:zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1246=1

SUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1246=1

SUSE Linux Enterprise Server 12-SP1:zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1246=1

SUSE Linux Enterprise Module for Public Cloud 12:zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-1246=1

SUSE Linux Enterprise Live Patching 12:zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1246=1

SUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1246=1

To bring your system up-to-date, use 'zypper patch'.

See Also

https://bugzilla.suse.com/show_bug.cgi?id=947337

https://bugzilla.suse.com/show_bug.cgi?id=950998

https://bugzilla.suse.com/show_bug.cgi?id=951844

https://bugzilla.suse.com/show_bug.cgi?id=953048

https://bugzilla.suse.com/show_bug.cgi?id=954847

https://bugzilla.suse.com/show_bug.cgi?id=956491

https://bugzilla.suse.com/show_bug.cgi?id=957990

https://bugzilla.suse.com/show_bug.cgi?id=962742

https://bugzilla.suse.com/show_bug.cgi?id=963655

https://bugzilla.suse.com/show_bug.cgi?id=963762

https://bugzilla.suse.com/show_bug.cgi?id=965087

https://bugzilla.suse.com/show_bug.cgi?id=966245

https://bugzilla.suse.com/show_bug.cgi?id=968667

https://bugzilla.suse.com/show_bug.cgi?id=970114

https://bugzilla.suse.com/show_bug.cgi?id=970506

https://bugzilla.suse.com/show_bug.cgi?id=971770

https://bugzilla.suse.com/show_bug.cgi?id=972933

https://bugzilla.suse.com/show_bug.cgi?id=973378

https://bugzilla.suse.com/show_bug.cgi?id=973499

https://bugzilla.suse.com/show_bug.cgi?id=974165

https://bugzilla.suse.com/show_bug.cgi?id=974308

https://bugzilla.suse.com/show_bug.cgi?id=974620

https://bugzilla.suse.com/show_bug.cgi?id=975531

https://bugzilla.suse.com/show_bug.cgi?id=975533

https://bugzilla.suse.com/show_bug.cgi?id=975772

https://bugzilla.suse.com/show_bug.cgi?id=975788

https://bugzilla.suse.com/show_bug.cgi?id=977417

https://bugzilla.suse.com/show_bug.cgi?id=978401

https://bugzilla.suse.com/show_bug.cgi?id=978469

https://bugzilla.suse.com/show_bug.cgi?id=978822

https://bugzilla.suse.com/show_bug.cgi?id=979074

https://bugzilla.suse.com/show_bug.cgi?id=979213

https://bugzilla.suse.com/show_bug.cgi?id=979419

https://bugzilla.suse.com/show_bug.cgi?id=979485

https://bugzilla.suse.com/show_bug.cgi?id=979489

https://bugzilla.suse.com/show_bug.cgi?id=979521

https://bugzilla.suse.com/show_bug.cgi?id=979548

https://bugzilla.suse.com/show_bug.cgi?id=979681

https://bugzilla.suse.com/show_bug.cgi?id=979867

https://bugzilla.suse.com/show_bug.cgi?id=979879

https://bugzilla.suse.com/show_bug.cgi?id=979922

https://bugzilla.suse.com/show_bug.cgi?id=980348

https://bugzilla.suse.com/show_bug.cgi?id=980363

https://bugzilla.suse.com/show_bug.cgi?id=980371

https://bugzilla.suse.com/show_bug.cgi?id=980856

https://bugzilla.suse.com/show_bug.cgi?id=980883

https://bugzilla.suse.com/show_bug.cgi?id=981038

https://bugzilla.suse.com/show_bug.cgi?id=981143

https://bugzilla.suse.com/show_bug.cgi?id=981344

https://bugzilla.suse.com/show_bug.cgi?id=981597

https://bugzilla.suse.com/show_bug.cgi?id=982282

https://bugzilla.suse.com/show_bug.cgi?id=982354

https://bugzilla.suse.com/show_bug.cgi?id=982544

https://bugzilla.suse.com/show_bug.cgi?id=982698

https://bugzilla.suse.com/show_bug.cgi?id=983143

https://bugzilla.suse.com/show_bug.cgi?id=983213

https://bugzilla.suse.com/show_bug.cgi?id=983318

https://bugzilla.suse.com/show_bug.cgi?id=983721

https://bugzilla.suse.com/show_bug.cgi?id=983904

https://bugzilla.suse.com/show_bug.cgi?id=983977

https://bugzilla.suse.com/show_bug.cgi?id=984148

https://bugzilla.suse.com/show_bug.cgi?id=984456

https://bugzilla.suse.com/show_bug.cgi?id=984755

https://bugzilla.suse.com/show_bug.cgi?id=984764

https://bugzilla.suse.com/show_bug.cgi?id=985232

https://bugzilla.suse.com/show_bug.cgi?id=985978

https://bugzilla.suse.com/show_bug.cgi?id=986362

https://bugzilla.suse.com/show_bug.cgi?id=986365

https://bugzilla.suse.com/show_bug.cgi?id=986569

https://bugzilla.suse.com/show_bug.cgi?id=986572

https://bugzilla.suse.com/show_bug.cgi?id=986573

https://bugzilla.suse.com/show_bug.cgi?id=986811

https://bugzilla.suse.com/show_bug.cgi?id=988215

https://bugzilla.suse.com/show_bug.cgi?id=988498

https://bugzilla.suse.com/show_bug.cgi?id=988552

https://bugzilla.suse.com/show_bug.cgi?id=990058

https://www.suse.com/security/cve/CVE-2014-9904/

https://www.suse.com/security/cve/CVE-2015-7833/

https://www.suse.com/security/cve/CVE-2015-8551/

https://www.suse.com/security/cve/CVE-2015-8552/

https://www.suse.com/security/cve/CVE-2015-8845/

https://www.suse.com/security/cve/CVE-2016-0758/

https://www.suse.com/security/cve/CVE-2016-1583/

https://www.suse.com/security/cve/CVE-2016-2053/

https://www.suse.com/security/cve/CVE-2016-3672/

https://www.suse.com/security/cve/CVE-2016-4470/

https://www.suse.com/security/cve/CVE-2016-4482/

https://www.suse.com/security/cve/CVE-2016-4486/

https://www.suse.com/security/cve/CVE-2016-4565/

https://www.suse.com/security/cve/CVE-2016-4569/

https://www.suse.com/security/cve/CVE-2016-4578/

https://www.suse.com/security/cve/CVE-2016-4805/

https://www.suse.com/security/cve/CVE-2016-4997/

https://www.suse.com/security/cve/CVE-2016-4998/

https://www.suse.com/security/cve/CVE-2016-5244/

https://www.suse.com/security/cve/CVE-2016-5828/

https://www.suse.com/security/cve/CVE-2016-5829/

http://www.nessus.org/u?866069b9

Plugin Details

Severity: High

ID: 93299

File Name: suse_SU-2016-2105-1.nasl

Version: 2.9

Type: local

Agent: unix

Published: 2016/09/02

Updated: 2018/11/29

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSS v3.0

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:kernel-default, p-cpe:/a:novell:suse_linux:kernel-default-base, p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo, p-cpe:/a:novell:suse_linux:kernel-default-debuginfo, p-cpe:/a:novell:suse_linux:kernel-default-debugsource, p-cpe:/a:novell:suse_linux:kernel-default-devel, p-cpe:/a:novell:suse_linux:kernel-default-extra, p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo, p-cpe:/a:novell:suse_linux:kernel-default-man, p-cpe:/a:novell:suse_linux:kernel-syms, p-cpe:/a:novell:suse_linux:kernel-xen, p-cpe:/a:novell:suse_linux:kernel-xen-base, p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo, p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo, p-cpe:/a:novell:suse_linux:kernel-xen-debugsource, p-cpe:/a:novell:suse_linux:kernel-xen-devel, cpe:/o:novell:suse_linux:12

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/08/19

Exploitable With

Metasploit (Linux Kernel 4.6.3 Netfilter Privilege Escalation)

Reference Information

CVE: CVE-2014-9904, CVE-2015-7833, CVE-2015-8551, CVE-2015-8552, CVE-2015-8845, CVE-2016-0758, CVE-2016-1583, CVE-2016-2053, CVE-2016-3672, CVE-2016-4470, CVE-2016-4482, CVE-2016-4486, CVE-2016-4565, CVE-2016-4569, CVE-2016-4578, CVE-2016-4805, CVE-2016-4997, CVE-2016-4998, CVE-2016-5244, CVE-2016-5828, CVE-2016-5829