SUSE SLES11 Security Update : kernel (SUSE-SU-2016:2976-1)

critical Nessus Plugin ID 95536

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. For the PowerPC64 a new 'bigmem' flavor has been added to support big Power machines. (FATE#319026) The following security bugs were fixed :

- CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in the Linux kernel, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bnc#1004517).

- CVE-2016-7097: The filesystem implementation in the Linux kernel preserves the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bnc#995968).

- CVE-2015-8956: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925).

- CVE-2016-7117: Use-after-free vulnerability in the
__sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077).

- CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel allowed local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721 (bnc#994759).

- CVE-2016-7425: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

- CVE-2016-3841: The IPv6 stack in the Linux kernel mishandled options data, which allowed local users to gain privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call (bnc#992566).

- CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in the Linux kernel did not properly maintain certain SACK state after a failed data copy, which allowed local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option (bnc#994296).

- CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for remote attackers to hijack TCP sessions via a blind in-window attack (bnc#989152).

- CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a 'double fetch' vulnerability (bnc#991608).

- CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bnc#986365).

- CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel did not reset the PIT counter values during state restoration, which allowed guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions (bnc#960689).

- CVE-2013-4312: The Linux kernel allowed local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c (bnc#839104 bsc#922947 bsc#968014).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t patch sdksp4-kernel-12869=1

SUSE Linux Enterprise Server 11-SP4:zypper in -t patch slessp4-kernel-12869=1

SUSE Linux Enterprise Server 11-EXTRA:zypper in -t patch slexsp3-kernel-12869=1

SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch dbgsp4-kernel-12869=1

To bring your system up-to-date, use 'zypper patch'.

See Also

https://bugzilla.suse.com/show_bug.cgi?id=1000189

https://bugzilla.suse.com/show_bug.cgi?id=1001419

https://bugzilla.suse.com/show_bug.cgi?id=1002165

https://bugzilla.suse.com/show_bug.cgi?id=1003077

https://bugzilla.suse.com/show_bug.cgi?id=1003344

https://bugzilla.suse.com/show_bug.cgi?id=1003568

https://bugzilla.suse.com/show_bug.cgi?id=1003677

https://bugzilla.suse.com/show_bug.cgi?id=1003866

https://bugzilla.suse.com/show_bug.cgi?id=1003925

https://bugzilla.suse.com/show_bug.cgi?id=1004517

https://bugzilla.suse.com/show_bug.cgi?id=1004520

https://bugzilla.suse.com/show_bug.cgi?id=1005857

https://bugzilla.suse.com/show_bug.cgi?id=1005896

https://bugzilla.suse.com/show_bug.cgi?id=1005903

https://bugzilla.suse.com/show_bug.cgi?id=1006917

https://bugzilla.suse.com/show_bug.cgi?id=1006919

https://bugzilla.suse.com/show_bug.cgi?id=1007944

https://bugzilla.suse.com/show_bug.cgi?id=843236

https://bugzilla.suse.com/show_bug.cgi?id=860441

https://bugzilla.suse.com/show_bug.cgi?id=863873

https://bugzilla.suse.com/show_bug.cgi?id=865783

https://bugzilla.suse.com/show_bug.cgi?id=871728

https://bugzilla.suse.com/show_bug.cgi?id=907611

https://bugzilla.suse.com/show_bug.cgi?id=908458

https://bugzilla.suse.com/show_bug.cgi?id=908684

https://bugzilla.suse.com/show_bug.cgi?id=909077

https://bugzilla.suse.com/show_bug.cgi?id=909350

https://bugzilla.suse.com/show_bug.cgi?id=909484

https://bugzilla.suse.com/show_bug.cgi?id=909618

https://bugzilla.suse.com/show_bug.cgi?id=909994

https://bugzilla.suse.com/show_bug.cgi?id=763198

https://bugzilla.suse.com/show_bug.cgi?id=771065

https://bugzilla.suse.com/show_bug.cgi?id=799133

https://bugzilla.suse.com/show_bug.cgi?id=803320

https://bugzilla.suse.com/show_bug.cgi?id=839104

https://bugzilla.suse.com/show_bug.cgi?id=911687

https://bugzilla.suse.com/show_bug.cgi?id=915183

https://bugzilla.suse.com/show_bug.cgi?id=920016

https://bugzilla.suse.com/show_bug.cgi?id=922634

https://bugzilla.suse.com/show_bug.cgi?id=922947

https://bugzilla.suse.com/show_bug.cgi?id=928138

https://bugzilla.suse.com/show_bug.cgi?id=929141

https://bugzilla.suse.com/show_bug.cgi?id=934760

https://bugzilla.suse.com/show_bug.cgi?id=951392

https://bugzilla.suse.com/show_bug.cgi?id=956514

https://bugzilla.suse.com/show_bug.cgi?id=960689

https://bugzilla.suse.com/show_bug.cgi?id=963655

https://bugzilla.suse.com/show_bug.cgi?id=967716

https://bugzilla.suse.com/show_bug.cgi?id=968010

https://bugzilla.suse.com/show_bug.cgi?id=968014

https://bugzilla.suse.com/show_bug.cgi?id=971975

https://bugzilla.suse.com/show_bug.cgi?id=971989

https://bugzilla.suse.com/show_bug.cgi?id=973203

https://bugzilla.suse.com/show_bug.cgi?id=974620

https://bugzilla.suse.com/show_bug.cgi?id=976867

https://bugzilla.suse.com/show_bug.cgi?id=977687

https://bugzilla.suse.com/show_bug.cgi?id=979514

https://bugzilla.suse.com/show_bug.cgi?id=979595

https://bugzilla.suse.com/show_bug.cgi?id=979681

https://bugzilla.suse.com/show_bug.cgi?id=980371

https://bugzilla.suse.com/show_bug.cgi?id=982218

https://bugzilla.suse.com/show_bug.cgi?id=982783

https://bugzilla.suse.com/show_bug.cgi?id=983535

https://bugzilla.suse.com/show_bug.cgi?id=983619

https://bugzilla.suse.com/show_bug.cgi?id=984102

https://bugzilla.suse.com/show_bug.cgi?id=984194

https://bugzilla.suse.com/show_bug.cgi?id=984992

https://bugzilla.suse.com/show_bug.cgi?id=985206

https://bugzilla.suse.com/show_bug.cgi?id=986337

https://bugzilla.suse.com/show_bug.cgi?id=986362

https://bugzilla.suse.com/show_bug.cgi?id=986365

https://bugzilla.suse.com/show_bug.cgi?id=986445

https://bugzilla.suse.com/show_bug.cgi?id=987565

https://bugzilla.suse.com/show_bug.cgi?id=988440

https://bugzilla.suse.com/show_bug.cgi?id=989152

https://bugzilla.suse.com/show_bug.cgi?id=989261

https://bugzilla.suse.com/show_bug.cgi?id=989764

https://bugzilla.suse.com/show_bug.cgi?id=989779

https://bugzilla.suse.com/show_bug.cgi?id=991608

https://bugzilla.suse.com/show_bug.cgi?id=991665

https://bugzilla.suse.com/show_bug.cgi?id=991923

https://bugzilla.suse.com/show_bug.cgi?id=992566

https://bugzilla.suse.com/show_bug.cgi?id=993127

https://bugzilla.suse.com/show_bug.cgi?id=993890

https://bugzilla.suse.com/show_bug.cgi?id=993891

https://bugzilla.suse.com/show_bug.cgi?id=994296

https://bugzilla.suse.com/show_bug.cgi?id=994436

https://bugzilla.suse.com/show_bug.cgi?id=994618

https://bugzilla.suse.com/show_bug.cgi?id=994759

https://bugzilla.suse.com/show_bug.cgi?id=994926

https://bugzilla.suse.com/show_bug.cgi?id=995968

https://bugzilla.suse.com/show_bug.cgi?id=996329

https://bugzilla.suse.com/show_bug.cgi?id=996664

https://bugzilla.suse.com/show_bug.cgi?id=997708

https://bugzilla.suse.com/show_bug.cgi?id=998399

https://bugzilla.suse.com/show_bug.cgi?id=998689

https://bugzilla.suse.com/show_bug.cgi?id=999584

https://bugzilla.suse.com/show_bug.cgi?id=999600

https://bugzilla.suse.com/show_bug.cgi?id=999907

https://bugzilla.suse.com/show_bug.cgi?id=999932

https://www.suse.com/security/cve/CVE-2013-4312/

https://www.suse.com/security/cve/CVE-2015-7513/

https://www.suse.com/security/cve/CVE-2015-8956/

https://www.suse.com/security/cve/CVE-2016-0823/

https://www.suse.com/security/cve/CVE-2016-3841/

https://www.suse.com/security/cve/CVE-2016-4998/

https://www.suse.com/security/cve/CVE-2016-5696/

https://www.suse.com/security/cve/CVE-2016-6480/

https://www.suse.com/security/cve/CVE-2016-6828/

https://www.suse.com/security/cve/CVE-2016-7042/

https://www.suse.com/security/cve/CVE-2016-7097/

https://www.suse.com/security/cve/CVE-2016-7117/

https://www.suse.com/security/cve/CVE-2016-7425/

http://www.nessus.org/u?eecf460c

Plugin Details

Severity: Critical

ID: 95536

File Name: suse_SU-2016-2976-1.nasl

Version: 3.10

Type: local

Agent: unix

Published: 12/5/2016

Updated: 1/19/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:kernel-default, p-cpe:/a:novell:suse_linux:kernel-default-base, p-cpe:/a:novell:suse_linux:kernel-default-devel, p-cpe:/a:novell:suse_linux:kernel-default-man, p-cpe:/a:novell:suse_linux:kernel-ec2, p-cpe:/a:novell:suse_linux:kernel-ec2-base, p-cpe:/a:novell:suse_linux:kernel-ec2-devel, p-cpe:/a:novell:suse_linux:kernel-pae, p-cpe:/a:novell:suse_linux:kernel-pae-base, p-cpe:/a:novell:suse_linux:kernel-pae-devel, p-cpe:/a:novell:suse_linux:kernel-source, p-cpe:/a:novell:suse_linux:kernel-syms, p-cpe:/a:novell:suse_linux:kernel-trace, p-cpe:/a:novell:suse_linux:kernel-trace-base, p-cpe:/a:novell:suse_linux:kernel-trace-devel, p-cpe:/a:novell:suse_linux:kernel-xen, p-cpe:/a:novell:suse_linux:kernel-xen-base, p-cpe:/a:novell:suse_linux:kernel-xen-devel, cpe:/o:novell:suse_linux:11

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/2/2016

Vulnerability Publication Date: 2/8/2016

Exploitable With

Metasploit (Linux Kernel 4.6.3 Netfilter Privilege Escalation)

Reference Information

CVE: CVE-2013-4312, CVE-2015-7513, CVE-2015-8956, CVE-2016-0823, CVE-2016-3841, CVE-2016-4998, CVE-2016-5696, CVE-2016-6480, CVE-2016-6828, CVE-2016-7042, CVE-2016-7097, CVE-2016-7117, CVE-2016-7425