openSUSE Security Update : the Linux Kernel (openSUSE-2016-1428)

Critical Nessus Plugin ID 95702

Synopsis

The remote openSUSE host is missing a security update.

Description

The openSUSE Leap 42.1 kernel was updated to 4.1.36 to receive various security and bugfixes.

The following security bugs were fixed :

- CVE-2016-8655: A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges (bsc#1012754).

- CVE-2016-9794: A use-after-free in ALSA pcm could lead to crashes or allowed local users to potentially gain privileges (bsc#1013533).

- CVE-2015-8962: Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call (bnc#1010501).

- CVE-2016-9178: The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel did not initialize a certain integer variable, which allowed local users to obtain sensitive information from kernel stack memory by triggering failure of a get_user_ex call (bnc#1008650).

- CVE-2016-7913: The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure (bnc#1010478).

- CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bnc#1011685).

- CVE-2015-8963: Race condition in kernel/events/core.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by leveraging incorrect handling of an swevent data structure during a CPU unplug operation (bnc#1010502).

- CVE-2015-8964: The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a tty data structure (bnc#1010507).

- CVE-2016-8646: The hash_accept function in crypto/algif_hash.c in the Linux kernel allowed local users to cause a denial of service (OOPS) by attempting to trigger use of in-kernel hash algorithms for a socket that has received zero bytes of data (bnc#1010150).

- CVE-2016-8633: drivers/firewire/net.c in the Linux kernel in certain unusual hardware configurations, allowed remote attackers to execute arbitrary code via crafted fragmented packets (bnc#1008833).

- CVE-2016-8630: The x86_decode_insn function in arch/x86/kvm/emulate.c in the Linux kernel, when KVM is enabled, allowed local users to cause a denial of service (host OS crash) via a certain use of a ModR/M byte in an undefined instruction (bnc#1009222).

- CVE-2016-9083: drivers/vfio/pci/vfio_pci.c in the Linux kernel allowed local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a 'state machine confusion bug (bnc#1007197).

- CVE-2016-9084: drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel misuses the kzalloc function, which allowed local users to cause a denial of service (integer overflow) or have unspecified other impact by leveraging access to a vfio PCI device file (bnc#1007197).

- CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bnc#1004517).

- CVE-2016-7097: The filesystem implementation in the Linux kernel preserves the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bnc#995968).

- CVE-2015-8956: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925).

The following non-security bugs were fixed :

- ata: ahci_xgene: dereferencing uninitialized pointer in probe (bsc#1006580).

- blacklist.conf: add some commits (bsc#1006580)

- bna: Add synchronization for tx ring (bsc#993739).

- bonding: set carrier off for devices created through netlink (bsc#999577).

- btrfs: deal with duplicates during extent_map insertion in btrfs_get_extent (bsc#1001171).

- btrfs: deal with existing encompassing extent map in btrfs_get_extent() (bsc#1001171).

- btrfs: fix extent tree corruption due to relocation (bsc#990384).

- btrfs: fix races on root_log_ctx lists (bsc#1007653).

- ext4: fix data exposure after a crash (bsc#1012876).

- ext4: fix reference counting bug on block allocation error (bsc#1012876).

- gre: Disable segmentation offloads w/ CSUM and we are encapsulated via FOU (bsc#1001486).

- gro: Allow tunnel stacking in the case of FOU/GUE (bsc#1001486).

- ipv6: send NEWLINK on RA managed/otherconf changes (bsc#934067).

- ipv6: send only one NEWLINK when RA causes changes (bsc#934067).

- isofs: Do not return EACCES for unknown filesystems (bsc#1012876).

- jbd2: fix checkpoint list cleanup (bsc#1012876).

- jbd2: Fix unreclaimed pages after truncate in data=journal mode (bsc#1010909).

- locking/static_key: Fix concurrent static_key_slow_inc() (bsc#1006580).

- mmc: Fix kabi breakage of mmc-block in 4.1.36 (stable-4.1.36).

- posix_acl: Added fix for f2fs.

- Revert 'kbuild: add -fno-PIE' (stable-4.1.36).

- Revert 'x86/mm: Expand the exception table logic to allow new handling options' (stable-4.1.36).

- tunnels: Remove encapsulation offloads on decap (bsc#1001486).

- usbhid: add ATEN CS962 to list of quirky devices (bsc#1007615).

- vmxnet3: Wake queue from reset work (bsc#999907).

Solution

Update the affected the Linux Kernel packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1001171

https://bugzilla.opensuse.org/show_bug.cgi?id=1001486

https://bugzilla.opensuse.org/show_bug.cgi?id=1003925

https://bugzilla.opensuse.org/show_bug.cgi?id=1004517

https://bugzilla.opensuse.org/show_bug.cgi?id=1006580

https://bugzilla.opensuse.org/show_bug.cgi?id=1007197

https://bugzilla.opensuse.org/show_bug.cgi?id=1007615

https://bugzilla.opensuse.org/show_bug.cgi?id=1007653

https://bugzilla.opensuse.org/show_bug.cgi?id=1008650

https://bugzilla.opensuse.org/show_bug.cgi?id=1008833

https://bugzilla.opensuse.org/show_bug.cgi?id=1009222

https://bugzilla.opensuse.org/show_bug.cgi?id=1010040

https://bugzilla.opensuse.org/show_bug.cgi?id=1010150

https://bugzilla.opensuse.org/show_bug.cgi?id=1010478

https://bugzilla.opensuse.org/show_bug.cgi?id=1010501

https://bugzilla.opensuse.org/show_bug.cgi?id=1010502

https://bugzilla.opensuse.org/show_bug.cgi?id=1010507

https://bugzilla.opensuse.org/show_bug.cgi?id=1010909

https://bugzilla.opensuse.org/show_bug.cgi?id=1011685

https://bugzilla.opensuse.org/show_bug.cgi?id=1012754

https://bugzilla.opensuse.org/show_bug.cgi?id=1012876

https://bugzilla.opensuse.org/show_bug.cgi?id=1013533

https://bugzilla.opensuse.org/show_bug.cgi?id=934067

https://bugzilla.opensuse.org/show_bug.cgi?id=990384

https://bugzilla.opensuse.org/show_bug.cgi?id=993739

https://bugzilla.opensuse.org/show_bug.cgi?id=995968

https://bugzilla.opensuse.org/show_bug.cgi?id=999577

https://bugzilla.opensuse.org/show_bug.cgi?id=999907

Plugin Details

Severity: Critical

ID: 95702

File Name: openSUSE-2016-1428.nasl

Version: 3.5

Type: local

Agent: unix

Published: 2016/12/12

Updated: 2019/04/11

Dependencies: 12634

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:drbd, p-cpe:/a:novell:opensuse:drbd-debugsource, p-cpe:/a:novell:opensuse:drbd-kmp-default, p-cpe:/a:novell:opensuse:drbd-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:drbd-kmp-pv, p-cpe:/a:novell:opensuse:drbd-kmp-pv-debuginfo, p-cpe:/a:novell:opensuse:drbd-kmp-xen, p-cpe:/a:novell:opensuse:drbd-kmp-xen-debuginfo, p-cpe:/a:novell:opensuse:hdjmod-debugsource, p-cpe:/a:novell:opensuse:hdjmod-kmp-default, p-cpe:/a:novell:opensuse:hdjmod-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:hdjmod-kmp-pae, p-cpe:/a:novell:opensuse:hdjmod-kmp-pae-debuginfo, p-cpe:/a:novell:opensuse:hdjmod-kmp-pv, p-cpe:/a:novell:opensuse:hdjmod-kmp-pv-debuginfo, p-cpe:/a:novell:opensuse:hdjmod-kmp-xen, p-cpe:/a:novell:opensuse:hdjmod-kmp-xen-debuginfo, p-cpe:/a:novell:opensuse:ipset, p-cpe:/a:novell:opensuse:ipset-debuginfo, p-cpe:/a:novell:opensuse:ipset-debugsource, p-cpe:/a:novell:opensuse:ipset-devel, p-cpe:/a:novell:opensuse:ipset-kmp-default, p-cpe:/a:novell:opensuse:ipset-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:ipset-kmp-pae, p-cpe:/a:novell:opensuse:ipset-kmp-pae-debuginfo, p-cpe:/a:novell:opensuse:ipset-kmp-pv, p-cpe:/a:novell:opensuse:ipset-kmp-pv-debuginfo, p-cpe:/a:novell:opensuse:ipset-kmp-xen, p-cpe:/a:novell:opensuse:ipset-kmp-xen-debuginfo, p-cpe:/a:novell:opensuse:kernel-debug, p-cpe:/a:novell:opensuse:kernel-debug-base, p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-debug-debuginfo, p-cpe:/a:novell:opensuse:kernel-debug-debugsource, p-cpe:/a:novell:opensuse:kernel-debug-devel, p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo, p-cpe:/a:novell:opensuse:kernel-default, p-cpe:/a:novell:opensuse:kernel-default-base, p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-default-debuginfo, p-cpe:/a:novell:opensuse:kernel-default-debugsource, p-cpe:/a:novell:opensuse:kernel-default-devel, p-cpe:/a:novell:opensuse:kernel-devel, p-cpe:/a:novell:opensuse:kernel-docs-html, p-cpe:/a:novell:opensuse:kernel-docs-pdf, p-cpe:/a:novell:opensuse:kernel-ec2, p-cpe:/a:novell:opensuse:kernel-ec2-base, p-cpe:/a:novell:opensuse:kernel-ec2-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-ec2-debuginfo, p-cpe:/a:novell:opensuse:kernel-ec2-debugsource, p-cpe:/a:novell:opensuse:kernel-ec2-devel, p-cpe:/a:novell:opensuse:kernel-macros, p-cpe:/a:novell:opensuse:kernel-obs-build, p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource, p-cpe:/a:novell:opensuse:kernel-obs-qa, p-cpe:/a:novell:opensuse:kernel-pae, p-cpe:/a:novell:opensuse:kernel-pae-base, p-cpe:/a:novell:opensuse:kernel-pae-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-pae-debuginfo, p-cpe:/a:novell:opensuse:kernel-pae-debugsource, p-cpe:/a:novell:opensuse:kernel-pae-devel, p-cpe:/a:novell:opensuse:kernel-pv, p-cpe:/a:novell:opensuse:kernel-pv-base, p-cpe:/a:novell:opensuse:kernel-pv-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-pv-debuginfo, p-cpe:/a:novell:opensuse:kernel-pv-debugsource, p-cpe:/a:novell:opensuse:kernel-pv-devel, p-cpe:/a:novell:opensuse:kernel-source, p-cpe:/a:novell:opensuse:kernel-source-vanilla, p-cpe:/a:novell:opensuse:kernel-syms, p-cpe:/a:novell:opensuse:kernel-vanilla, p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo, p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource, p-cpe:/a:novell:opensuse:kernel-vanilla-devel, p-cpe:/a:novell:opensuse:kernel-xen, p-cpe:/a:novell:opensuse:kernel-xen-base, p-cpe:/a:novell:opensuse:kernel-xen-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-xen-debuginfo, p-cpe:/a:novell:opensuse:kernel-xen-debugsource, p-cpe:/a:novell:opensuse:kernel-xen-devel, p-cpe:/a:novell:opensuse:libipset3, p-cpe:/a:novell:opensuse:libipset3-debuginfo, p-cpe:/a:novell:opensuse:lttng-modules, p-cpe:/a:novell:opensuse:lttng-modules-debugsource, p-cpe:/a:novell:opensuse:lttng-modules-kmp-default, p-cpe:/a:novell:opensuse:lttng-modules-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:lttng-modules-kmp-pv, p-cpe:/a:novell:opensuse:lttng-modules-kmp-pv-debuginfo, p-cpe:/a:novell:opensuse:pcfclock, p-cpe:/a:novell:opensuse:pcfclock-debuginfo, p-cpe:/a:novell:opensuse:pcfclock-debugsource, p-cpe:/a:novell:opensuse:pcfclock-kmp-default, p-cpe:/a:novell:opensuse:pcfclock-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:pcfclock-kmp-pae, p-cpe:/a:novell:opensuse:pcfclock-kmp-pae-debuginfo, p-cpe:/a:novell:opensuse:pcfclock-kmp-pv, p-cpe:/a:novell:opensuse:pcfclock-kmp-pv-debuginfo, p-cpe:/a:novell:opensuse:vhba-kmp-debugsource, p-cpe:/a:novell:opensuse:vhba-kmp-default, p-cpe:/a:novell:opensuse:vhba-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:vhba-kmp-pae, p-cpe:/a:novell:opensuse:vhba-kmp-pae-debuginfo, p-cpe:/a:novell:opensuse:vhba-kmp-pv, p-cpe:/a:novell:opensuse:vhba-kmp-pv-debuginfo, p-cpe:/a:novell:opensuse:vhba-kmp-xen, p-cpe:/a:novell:opensuse:vhba-kmp-xen-debuginfo, cpe:/o:novell:opensuse:42.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/12/08

Exploitable With

Core Impact

Metasploit (AF_PACKET chocobo_root Privilege Escalation)

Reference Information

CVE: CVE-2015-8956, CVE-2015-8962, CVE-2015-8963, CVE-2015-8964, CVE-2016-7042, CVE-2016-7097, CVE-2016-7913, CVE-2016-8630, CVE-2016-8633, CVE-2016-8646, CVE-2016-8655, CVE-2016-9083, CVE-2016-9084, CVE-2016-9178, CVE-2016-9555, CVE-2016-9794