SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0471-1)
high Nessus Plugin ID 97205
New! Vulnerability Priority Rating (VPR)
Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.
VPR Score: 7.4
Synopsis
The remote SUSE host is missing one or more security updates.Description
The SUSE Linux Enterprise 12 GA LTSS kernel was updated to 3.12.61 to receive various security and bugfixes. The following feature was implemented :- The ext2 filesystem got reenabled and supported to allow support for 'XIP' (Execute In Place) (FATE#320805). The following security bugs were fixed :
- CVE-2017-5551: The tmpfs filesystem implementation in the Linux kernel preserved the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bsc#1021258).
- CVE-2016-7097: The filesystem implementation in the Linux kernel preserved the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bnc#995968).
- CVE-2017-2583: A Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support was vulnerable to an incorrect segment selector(SS) value error. A user/process inside guest could have used this flaw to crash the guest resulting in DoS or potentially escalate their privileges inside guest. (bsc#1020602).
- CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free) via a crafted application that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt (bnc#1019851).
- CVE-2016-10088: The sg implementation in the Linux kernel did not properly restrict write operations in situations where the KERNEL_DS option is set, which allowed local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c.
NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576 (bnc#1017710).
- CVE-2016-8645: The TCP stack in the Linux kernel mishandled skb truncation, which allowed local users to cause a denial of service (system crash) via a crafted application that made sendto system calls, related to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c (bnc#1009969).
- CVE-2016-8399: An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and current compiler optimizations restrict access to the vulnerable code. Product:
Android. Versions: Kernel-3.10, Kernel-3.18. Android ID:
A-31349935 (bnc#1014746).
- CVE-2016-9806: Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel allowed local users to cause a denial of service (double free) or possibly have unspecified other impact via a crafted application that made sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated (bnc#1013540).
- CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux kernel did not properly initialize Code Segment (CS) in certain error cases, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application (bnc#1013038).
- CVE-2016-9793: The sock_setsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option (bnc#1013531).
- CVE-2016-7910: Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel allowed local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed (bnc#1010716).
- CVE-2015-8962: Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call (bnc#1010501).
- CVE-2016-7913: The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure (bnc#1010478).
- CVE-2016-7911: Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call (bnc#1010711).
- CVE-2015-8964: The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a tty data structure (bnc#1010507).
- CVE-2015-8963: Race condition in kernel/events/core.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by leveraging incorrect handling of an swevent data structure during a CPU unplug operation (bnc#1010502).
- CVE-2016-7914: The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel did not check whether a slot is a leaf, which allowed local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and out-of-bounds read) via an application that uses associative-array data structures, as demonstrated by the keyutils test suite (bnc#1010475).
- CVE-2016-8633: drivers/firewire/net.c in the Linux kernel allowed remote attackers to execute arbitrary code via crafted fragmented packets (bnc#1008833).
- CVE-2016-9083: drivers/vfio/pci/vfio_pci.c in the Linux kernel allowed local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a 'state machine confusion bug (bnc#1007197).
- CVE-2016-9084: drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel misused the kzalloc function, which allowed local users to cause a denial of service (integer overflow) or have unspecified other impact by leveraging access to a vfio PCI device file (bnc#1007197).
- CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in the Linux kernel uses an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bnc#1004517).
- CVE-2015-8956: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925).
- CVE-2016-8658: Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a long SSID Information Element in a command to a Netlink socket (bnc#1004462).
- CVE-2016-7425: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).
- CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) by using an ABORT_TASK command to abort a device write operation (bnc#994748).
- CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in the Linux kernel did not properly maintain certain SACK state after a failed data copy, which allowed local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option (bnc#994296).
- CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for remote attackers to hijack TCP sessions via a blind in-window attack (bnc#989152).
- CVE-2016-6130: Race condition in the sclp_ctl_ioctl_sccb function in drivers/s390/char/sclp_ctl.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by changing a certain length value, aka a 'double fetch' vulnerability (bnc#987542).
- CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a 'double fetch' vulnerability (bnc#991608).
- CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bnc#986362 bnc#986365).
- CVE-2016-5828: The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms mishandled transactional state, which allowed local users to cause a denial of service (invalid process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by starting and suspending a transaction before an exec system call (bnc#986569).
- CVE-2014-9904: The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel did not properly check for an integer overflow, which allowed local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call (bnc#986811).
- CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572).
- CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755).
The update package also includes non-security fixes. See advisory for details.
Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
Solution
To install this SUSE Security Update use YaST online_update.Alternatively you can run the command listed for your product :
SUSE Linux Enterprise Server for SAP 12:zypper in -t patch SUSE-SLE-SAP-12-2017-247=1
SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-2017-247=1
SUSE Linux Enterprise Module for Public Cloud 12:zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2017-247=1
To bring your system up-to-date, use 'zypper patch'.
See Also
https://bugzilla.suse.com/show_bug.cgi?id=1003153
https://bugzilla.suse.com/show_bug.cgi?id=1003925
https://bugzilla.suse.com/show_bug.cgi?id=1004462
https://bugzilla.suse.com/show_bug.cgi?id=1004517
https://bugzilla.suse.com/show_bug.cgi?id=1005666
https://bugzilla.suse.com/show_bug.cgi?id=1007197
https://bugzilla.suse.com/show_bug.cgi?id=1008833
https://bugzilla.suse.com/show_bug.cgi?id=1008979
https://bugzilla.suse.com/show_bug.cgi?id=1009969
https://bugzilla.suse.com/show_bug.cgi?id=1010040
https://bugzilla.suse.com/show_bug.cgi?id=1010475
https://bugzilla.suse.com/show_bug.cgi?id=1010478
https://bugzilla.suse.com/show_bug.cgi?id=1010501
https://bugzilla.suse.com/show_bug.cgi?id=1010502
https://bugzilla.suse.com/show_bug.cgi?id=1010507
https://bugzilla.suse.com/show_bug.cgi?id=1010612
https://bugzilla.suse.com/show_bug.cgi?id=1010711
https://bugzilla.suse.com/show_bug.cgi?id=1010716
https://bugzilla.suse.com/show_bug.cgi?id=1011820
https://bugzilla.suse.com/show_bug.cgi?id=1012422
https://bugzilla.suse.com/show_bug.cgi?id=1013038
https://bugzilla.suse.com/show_bug.cgi?id=1013531
https://bugzilla.suse.com/show_bug.cgi?id=1013540
https://bugzilla.suse.com/show_bug.cgi?id=1013542
https://bugzilla.suse.com/show_bug.cgi?id=1014746
https://bugzilla.suse.com/show_bug.cgi?id=1016482
https://bugzilla.suse.com/show_bug.cgi?id=1017410
https://bugzilla.suse.com/show_bug.cgi?id=1017589
https://bugzilla.suse.com/show_bug.cgi?id=1017710
https://bugzilla.suse.com/show_bug.cgi?id=1019300
https://bugzilla.suse.com/show_bug.cgi?id=1019851
https://bugzilla.suse.com/show_bug.cgi?id=1020602
https://bugzilla.suse.com/show_bug.cgi?id=1021258
https://bugzilla.suse.com/show_bug.cgi?id=881008
https://bugzilla.suse.com/show_bug.cgi?id=915183
https://bugzilla.suse.com/show_bug.cgi?id=958606
https://bugzilla.suse.com/show_bug.cgi?id=961257
https://bugzilla.suse.com/show_bug.cgi?id=970083
https://bugzilla.suse.com/show_bug.cgi?id=971989
https://bugzilla.suse.com/show_bug.cgi?id=976195
https://bugzilla.suse.com/show_bug.cgi?id=978094
https://bugzilla.suse.com/show_bug.cgi?id=980371
https://bugzilla.suse.com/show_bug.cgi?id=980560
https://bugzilla.suse.com/show_bug.cgi?id=981038
https://bugzilla.suse.com/show_bug.cgi?id=981597
https://bugzilla.suse.com/show_bug.cgi?id=981709
https://bugzilla.suse.com/show_bug.cgi?id=982282
https://bugzilla.suse.com/show_bug.cgi?id=982544
https://bugzilla.suse.com/show_bug.cgi?id=983619
https://bugzilla.suse.com/show_bug.cgi?id=983721
https://bugzilla.suse.com/show_bug.cgi?id=983977
https://bugzilla.suse.com/show_bug.cgi?id=984148
https://bugzilla.suse.com/show_bug.cgi?id=984419
https://bugzilla.suse.com/show_bug.cgi?id=984755
https://bugzilla.suse.com/show_bug.cgi?id=985978
https://bugzilla.suse.com/show_bug.cgi?id=986362
https://bugzilla.suse.com/show_bug.cgi?id=986365
https://bugzilla.suse.com/show_bug.cgi?id=986445
https://bugzilla.suse.com/show_bug.cgi?id=986569
https://bugzilla.suse.com/show_bug.cgi?id=986572
https://bugzilla.suse.com/show_bug.cgi?id=986811
https://bugzilla.suse.com/show_bug.cgi?id=986941
https://bugzilla.suse.com/show_bug.cgi?id=987542
https://bugzilla.suse.com/show_bug.cgi?id=987565
https://bugzilla.suse.com/show_bug.cgi?id=987576
https://bugzilla.suse.com/show_bug.cgi?id=989152
https://bugzilla.suse.com/show_bug.cgi?id=990384
https://bugzilla.suse.com/show_bug.cgi?id=991608
https://bugzilla.suse.com/show_bug.cgi?id=991665
https://bugzilla.suse.com/show_bug.cgi?id=993392
https://bugzilla.suse.com/show_bug.cgi?id=993890
https://bugzilla.suse.com/show_bug.cgi?id=993891
https://bugzilla.suse.com/show_bug.cgi?id=994296
https://bugzilla.suse.com/show_bug.cgi?id=994748
https://bugzilla.suse.com/show_bug.cgi?id=994881
https://bugzilla.suse.com/show_bug.cgi?id=995968
https://bugzilla.suse.com/show_bug.cgi?id=997708
https://bugzilla.suse.com/show_bug.cgi?id=998795
https://bugzilla.suse.com/show_bug.cgi?id=999584
https://bugzilla.suse.com/show_bug.cgi?id=999600
https://bugzilla.suse.com/show_bug.cgi?id=999932
https://bugzilla.suse.com/show_bug.cgi?id=999943
https://www.suse.com/security/cve/CVE-2014-9904/
https://www.suse.com/security/cve/CVE-2015-8956/
https://www.suse.com/security/cve/CVE-2015-8962/
https://www.suse.com/security/cve/CVE-2015-8963/
https://www.suse.com/security/cve/CVE-2015-8964/
https://www.suse.com/security/cve/CVE-2016-10088/
https://www.suse.com/security/cve/CVE-2016-4470/
https://www.suse.com/security/cve/CVE-2016-4998/
https://www.suse.com/security/cve/CVE-2016-5696/
https://www.suse.com/security/cve/CVE-2016-5828/
https://www.suse.com/security/cve/CVE-2016-5829/
https://www.suse.com/security/cve/CVE-2016-6130/
https://www.suse.com/security/cve/CVE-2016-6327/
https://www.suse.com/security/cve/CVE-2016-6480/
https://www.suse.com/security/cve/CVE-2016-6828/
https://www.suse.com/security/cve/CVE-2016-7042/
https://www.suse.com/security/cve/CVE-2016-7097/
https://www.suse.com/security/cve/CVE-2016-7425/
https://www.suse.com/security/cve/CVE-2016-7910/
https://www.suse.com/security/cve/CVE-2016-7911/
https://www.suse.com/security/cve/CVE-2016-7913/
https://www.suse.com/security/cve/CVE-2016-7914/
https://www.suse.com/security/cve/CVE-2016-8399/
https://www.suse.com/security/cve/CVE-2016-8633/
https://www.suse.com/security/cve/CVE-2016-8645/
https://www.suse.com/security/cve/CVE-2016-8658/
https://www.suse.com/security/cve/CVE-2016-9083/
https://www.suse.com/security/cve/CVE-2016-9084/
https://www.suse.com/security/cve/CVE-2016-9756/
https://www.suse.com/security/cve/CVE-2016-9793/
https://www.suse.com/security/cve/CVE-2016-9806/
https://www.suse.com/security/cve/CVE-2017-2583/
https://www.suse.com/security/cve/CVE-2017-2584/
Plugin Details
Severity: High
ID: 97205
File Name: suse_SU-2017-0471-1.nasl
Version: 3.10
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 2/16/2017
Updated: 1/6/2021
Dependencies: ssh_get_info.nasl
Risk Information
Risk Factor: High
VPR Score: 7.4
CVSS v2.0
Base Score: 9.3
Temporal Score: 7.7
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal Vector: E:F/RL:OF/RC:C
CVSS v3.0
Base Score: 8.4
Temporal Score: 7.8
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: E:F/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:suse_linux:kernel-default, p-cpe:/a:novell:suse_linux:kernel-default-base, p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo, p-cpe:/a:novell:suse_linux:kernel-default-debuginfo, p-cpe:/a:novell:suse_linux:kernel-default-debugsource, p-cpe:/a:novell:suse_linux:kernel-default-devel, p-cpe:/a:novell:suse_linux:kernel-default-man, p-cpe:/a:novell:suse_linux:kernel-syms, p-cpe:/a:novell:suse_linux:kernel-xen, p-cpe:/a:novell:suse_linux:kernel-xen-base, p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo, p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo, p-cpe:/a:novell:suse_linux:kernel-xen-debugsource, p-cpe:/a:novell:suse_linux:kernel-xen-devel, p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_66-default, p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_66-xen, cpe:/o:novell:suse_linux:12
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 2/15/2017
Vulnerability Publication Date: 6/27/2016
Exploitable With
Core Impact
Metasploit (Linux Kernel 4.6.3 Netfilter Privilege Escalation)
Reference Information
CVE: CVE-2014-9904, CVE-2015-8956, CVE-2015-8962, CVE-2015-8963, CVE-2015-8964, CVE-2016-10088, CVE-2016-4470, CVE-2016-4998, CVE-2016-5696, CVE-2016-5828, CVE-2016-5829, CVE-2016-6130, CVE-2016-6327, CVE-2016-6480, CVE-2016-6828, CVE-2016-7042, CVE-2016-7097, CVE-2016-7425, CVE-2016-7910, CVE-2016-7911, CVE-2016-7913, CVE-2016-7914, CVE-2016-8399, CVE-2016-8633, CVE-2016-8645, CVE-2016-8658, CVE-2016-9083, CVE-2016-9084, CVE-2016-9576, CVE-2016-9756, CVE-2016-9793, CVE-2016-9806, CVE-2017-2583, CVE-2017-2584, CVE-2017-5551