openSUSE Security Update : the Linux Kernel (openSUSE-2017-246)

Critical Nessus Plugin ID 97138

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 7.4

Synopsis

The remote openSUSE host is missing a security update.

Description

The openSUSE Leap 42.1 kernel to 4.1.38 to receive various security and bugfixes.

The following security bugs were fixed :

- CVE-2016-7117: Use-after-free vulnerability in the
__sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077).

- CVE-2017-5551: tmpfs: Fixed a bug that could have allowed users to set setgid bits on files they don't down (bsc#1021258).

- CVE-2016-10147: crypto/mcryptd.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as demonstrated by mcryptd(md5) (bnc#1020381).

- CVE-2016-10088: The sg implementation in the Linux kernel did not properly restrict write operations in situations where the KERNEL_DS option is set, which allowed local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c.
NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576 (bnc#1017710).

- CVE-2016-7917: The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux kernel did not check whether a batch message's length field is large enough, which allowed local users to obtain sensitive information from kernel memory or cause a denial of service (infinite loop or out-of-bounds read) by leveraging the CAP_NET_ADMIN capability (bnc#1010444).

- CVE-2016-8645: The TCP stack in the Linux kernel mishandled skb truncation, which allowed local users to cause a denial of service (system crash) via a crafted application that made sendto system calls, related to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c (bnc#1009969).

- CVE-2016-9806: Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel allowed local users to cause a denial of service (double free) or possibly have unspecified other impact via a crafted application that made sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated (bnc#1013540 1017589).

- CVE-2016-9793: The sock_setsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option (bnc#1013531 1013542).

The following non-security bugs were fixed :

- PCI: generic: Fix pci_remap_iospace() failure path (bsc#1019658).

- bcache: partition support: add 16 minors per bcacheN device (bsc#1019784).

- bnx2x: Correct ringparam estimate when DOWN (bsc#1020214).

- clk: xgene: Do not call __pa on ioremaped address (bsc#1019660).

- kABI workaround for 4.1.37 mount changes (stable-4.1.37).

- kABI: reintroduce sk_filter (bsc#1009969).

- kabi/severities: Ignore inode_change_ok change It's renamed in 4.1.37 to setattr_prepare()

- mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] (bsc#1011820).

- net: introduce __sock_queue_rcv_skb() function (bsc#1009969).

- netback: correct array index (bsc#983348).

- netfront: do not truncate grant references.

- netfront: use correct linear area after linearizing an skb (bsc#1007886).

- reiserfs: fix race in prealloc discard (bsc#987576).

- rose: limit sk_filter trim to payload (bsc#1009969).

- scsi: bfa: Increase requested firmware version to 3.2.5.1 (bsc#1013273).

- xenbus: correctly signal errors from xenstored_local_init() (luckily none so far).

- xenbus: do not invoke ->is_ready() for most device states (bsc#987333).

Solution

Update the affected the Linux Kernel packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1003077

https://bugzilla.opensuse.org/show_bug.cgi?id=1007886

https://bugzilla.opensuse.org/show_bug.cgi?id=1009969

https://bugzilla.opensuse.org/show_bug.cgi?id=1010444

https://bugzilla.opensuse.org/show_bug.cgi?id=1011820

https://bugzilla.opensuse.org/show_bug.cgi?id=1013273

https://bugzilla.opensuse.org/show_bug.cgi?id=1013531

https://bugzilla.opensuse.org/show_bug.cgi?id=1013540

https://bugzilla.opensuse.org/show_bug.cgi?id=1013542

https://bugzilla.opensuse.org/show_bug.cgi?id=1017589

https://bugzilla.opensuse.org/show_bug.cgi?id=1017710

https://bugzilla.opensuse.org/show_bug.cgi?id=1019658

https://bugzilla.opensuse.org/show_bug.cgi?id=1019660

https://bugzilla.opensuse.org/show_bug.cgi?id=1019784

https://bugzilla.opensuse.org/show_bug.cgi?id=1020214

https://bugzilla.opensuse.org/show_bug.cgi?id=1020381

https://bugzilla.opensuse.org/show_bug.cgi?id=1021258

https://bugzilla.opensuse.org/show_bug.cgi?id=983348

https://bugzilla.opensuse.org/show_bug.cgi?id=987333

https://bugzilla.opensuse.org/show_bug.cgi?id=987576

Plugin Details

Severity: Critical

ID: 97138

File Name: openSUSE-2017-246.nasl

Version: 3.4

Type: local

Agent: unix

Published: 2017/02/14

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 7.4

CVSS v2.0

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:kernel-debug, p-cpe:/a:novell:opensuse:kernel-debug-base, p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-debug-debuginfo, p-cpe:/a:novell:opensuse:kernel-debug-debugsource, p-cpe:/a:novell:opensuse:kernel-debug-devel, p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo, p-cpe:/a:novell:opensuse:kernel-default, p-cpe:/a:novell:opensuse:kernel-default-base, p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-default-debuginfo, p-cpe:/a:novell:opensuse:kernel-default-debugsource, p-cpe:/a:novell:opensuse:kernel-default-devel, p-cpe:/a:novell:opensuse:kernel-devel, p-cpe:/a:novell:opensuse:kernel-docs-html, p-cpe:/a:novell:opensuse:kernel-docs-pdf, p-cpe:/a:novell:opensuse:kernel-ec2, p-cpe:/a:novell:opensuse:kernel-ec2-base, p-cpe:/a:novell:opensuse:kernel-ec2-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-ec2-debuginfo, p-cpe:/a:novell:opensuse:kernel-ec2-debugsource, p-cpe:/a:novell:opensuse:kernel-ec2-devel, p-cpe:/a:novell:opensuse:kernel-macros, p-cpe:/a:novell:opensuse:kernel-obs-build, p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource, p-cpe:/a:novell:opensuse:kernel-obs-qa, p-cpe:/a:novell:opensuse:kernel-pae, p-cpe:/a:novell:opensuse:kernel-pae-base, p-cpe:/a:novell:opensuse:kernel-pae-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-pae-debuginfo, p-cpe:/a:novell:opensuse:kernel-pae-debugsource, p-cpe:/a:novell:opensuse:kernel-pae-devel, p-cpe:/a:novell:opensuse:kernel-pv, p-cpe:/a:novell:opensuse:kernel-pv-base, p-cpe:/a:novell:opensuse:kernel-pv-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-pv-debuginfo, p-cpe:/a:novell:opensuse:kernel-pv-debugsource, p-cpe:/a:novell:opensuse:kernel-pv-devel, p-cpe:/a:novell:opensuse:kernel-source, p-cpe:/a:novell:opensuse:kernel-source-vanilla, p-cpe:/a:novell:opensuse:kernel-syms, p-cpe:/a:novell:opensuse:kernel-vanilla, p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo, p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource, p-cpe:/a:novell:opensuse:kernel-vanilla-devel, p-cpe:/a:novell:opensuse:kernel-xen, p-cpe:/a:novell:opensuse:kernel-xen-base, p-cpe:/a:novell:opensuse:kernel-xen-base-debuginfo, p-cpe:/a:novell:opensuse:kernel-xen-debuginfo, p-cpe:/a:novell:opensuse:kernel-xen-debugsource, p-cpe:/a:novell:opensuse:kernel-xen-devel, cpe:/o:novell:opensuse:42.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2017/02/13

Exploitable With

Core Impact

Reference Information

CVE: CVE-2016-10088, CVE-2016-10147, CVE-2016-7117, CVE-2016-7917, CVE-2016-8645, CVE-2016-9576, CVE-2016-9793, CVE-2016-9806, CVE-2017-5551