Bugzilla – Bug 885422
VUL-0: CVE-2014-4667: kernel-source: sctp: sk_ack_backlog wrap-around problem
Last modified: 2015-04-30 19:13:19 UTC
CVE-2014-4667 For a TCP-style socket, while processing the COOKIE_ECHO chunk in sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check, a new association would be created in sctp_unpack_cookie(), but afterwards, some processing maybe failed, and sctp_association_free() will be called to free the previously allocated association, in sctp_association_free(), sk_ack_backlog value is decremented for this socket, since the initial value for sk_ack_backlog is 0, after the decrement, it will be 65535, a wrap-around problem happens, and if we want to establish new associations afterward in the same socket, ABORT would be triggered since sctp deem the accept queue as full. A remote attacker can block further connection to the particular sctp server socket by sending a specially crafted sctp packet. Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d3217b15a19a4779c39b212358a5c71d725822ee References: https://bugzilla.redhat.com/show_bug.cgi?id=1113967 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4667 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4667
Affected packages: SLE-10-SP3-TERADATA: kernel-source SLE-11-SP1-TERADATA: kernel-source SLE-11-SP3: kernel-source
bugbot adjusting priority
sctp_association_free doesn't check for asoc->temp in SLE10 codebase at all. But it still seems that temporary associations are used so this attack is possible. Should we go and backport de76e695a5ce1 as a prerequisite for this security fix?
Created attachment 597735 [details] patch backported for SLES10-SP3-TD de76e695a5ce1 is not needed. Just checking for list_empty() is enough to fix this on 2.6.16.
SLE12 got this in 3.12.23 stable Pushed to OpenSUSE-12.3, OpenSUSE-13.1 and SLE11-SP3.
pushed to SLES10-SP3-TD. Thank you, Jiri!
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-07-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58208
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-07-17. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58234
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-dummy, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
openSUSE-SU-2014:0957-1: An update that fixes 15 vulnerabilities is now available. Category: security (important) Bug References: 788080,867531,867723,877257,880484,882189,883518,883724,883795,885422,885725 CVE References: CVE-2014-0131,CVE-2014-2309,CVE-2014-3144,CVE-2014-3145,CVE-2014-3917,CVE-2014-4014,CVE-2014-4171,CVE-2014-4508,CVE-2014-4652,CVE-2014-4653,CVE-2014-4654,CVE-2014-4655,CVE-2014-4656,CVE-2014-4667,CVE-2014-4699 Sources used: openSUSE 12.3 (src): kernel-docs-3.7.10-1.40.2, kernel-source-3.7.10-1.40.1, kernel-syms-3.7.10-1.40.1
openSUSE-SU-2014:0985-1: An update that solves 14 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 768714,851686,855657,866101,867531,867723,879071,880484,882189,883518,883724,883795,884840,885422,885725,886629 CVE References: CVE-2014-0100,CVE-2014-0131,CVE-2014-2309,CVE-2014-3917,CVE-2014-4014,CVE-2014-4171,CVE-2014-4508,CVE-2014-4652,CVE-2014-4653,CVE-2014-4654,CVE-2014-4655,CVE-2014-4656,CVE-2014-4667,CVE-2014-4699 Sources used: openSUSE 13.1 (src): cloop-2.639-11.13.1, crash-7.0.2-2.13.1, hdjmod-1.28-16.13.1, ipset-6.21.1-2.17.1, iscsitarget-1.4.20.3-13.13.1, kernel-docs-3.11.10-21.3, kernel-source-3.11.10-21.1, kernel-syms-3.11.10-21.1, ndiswrapper-1.58-13.1, pcfclock-0.44-258.13.1, vhba-kmp-20130607-2.14.1, virtualbox-4.2.18-2.18.1, xen-4.3.2_01-21.1, xtables-addons-2.3-2.13.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-09-03. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58726
SUSE-SU-2014:1105-1: An update that solves 18 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 846404,864464,866911,870173,870576,871676,871797,871854,872634,873374,876590,877257,877775,878115,878509,879921,880484,881051,882804,883724,883795,885422,885725,886474,889173,889324 CVE References: CVE-2013-4299,CVE-2014-0055,CVE-2014-0077,CVE-2014-1739,CVE-2014-2706,CVE-2014-2851,CVE-2014-3144,CVE-2014-3145,CVE-2014-3917,CVE-2014-4508,CVE-2014-4652,CVE-2014-4653,CVE-2014-4654,CVE-2014-4655,CVE-2014-4656,CVE-2014-4667,CVE-2014-4699,CVE-2014-5077 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): kernel-default-3.0.101-0.7.23.1, kernel-ec2-3.0.101-0.7.23.1, kernel-pae-3.0.101-0.7.23.1, kernel-source-3.0.101-0.7.23.1, kernel-syms-3.0.101-0.7.23.1, kernel-trace-3.0.101-0.7.23.1, kernel-xen-3.0.101-0.7.23.1, xen-4.1.6_06-0.5.30 SLE 11 SERVER Unsupported Extras (src): kernel-default-3.0.101-0.7.23.1, kernel-pae-3.0.101-0.7.23.1, kernel-xen-3.0.101-0.7.23.1
SUSE-SU-2014:1138-1: An update that fixes 22 vulnerabilities is now available. Category: security (important) Bug References: 794824,806431,831058,854722,856756,871797,877257,879921,880484,881051,882809,883526,883724,883795,884530,885422,885725,887082,889173,892490 CVE References: CVE-2013-1860,CVE-2013-4162,CVE-2013-7266,CVE-2013-7267,CVE-2013-7268,CVE-2013-7269,CVE-2013-7270,CVE-2013-7271,CVE-2014-0203,CVE-2014-3144,CVE-2014-3145,CVE-2014-3917,CVE-2014-4508,CVE-2014-4652,CVE-2014-4653,CVE-2014-4654,CVE-2014-4655,CVE-2014-4656,CVE-2014-4667,CVE-2014-4699,CVE-2014-4943,CVE-2014-5077 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): kernel-default-2.6.32.59-0.15.2, kernel-ec2-2.6.32.59-0.15.2, kernel-pae-2.6.32.59-0.15.2, kernel-source-2.6.32.59-0.15.2, kernel-syms-2.6.32.59-0.15.2, kernel-trace-2.6.32.59-0.15.2, kernel-xen-2.6.32.59-0.15.2, xen-4.0.3_21548_16-0.5.26 SLE 11 SERVER Unsupported Extras (src): kernel-default-2.6.32.59-0.15.2, kernel-pae-2.6.32.59-0.15.2, kernel-xen-2.6.32.59-0.15.2
openSUSE-SU-2014:1246-1: An update that solves 18 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 846404,854722,864464,866911,870173,870576,871676,871797,871854,872634,873374,876590,877257,878115,878509,879921,880484,881051,882804,883724,883795,885422,885725,886474,889173,889324 CVE References: CVE-2013-6463,CVE-2014-0055,CVE-2014-0077,CVE-2014-1739,CVE-2014-2706,CVE-2014-2851,CVE-2014-3144,CVE-2014-3145,CVE-2014-3917,CVE-2014-4508,CVE-2014-4652,CVE-2014-4653,CVE-2014-4654,CVE-2014-4655,CVE-2014-4656,CVE-2014-4667,CVE-2014-4699,CVE-2014-5077 Sources used: openSUSE Evergreen 11.4 (src): kernel-docs-3.0.101-91.2, kernel-source-3.0.101-91.1, kernel-syms-3.0.101-91.1, preload-1.2-6.69.2
SUSE-SU-2014:1316-1: An update that solves 11 vulnerabilities and has 64 fixes is now available. Category: security (important) Bug References: 774818,806990,816708,826486,832309,849123,855657,859840,860441,860593,863586,866130,866615,866864,866911,869055,869934,870161,871797,876017,876055,876114,876590,879921,880344,880370,881051,881759,882317,882639,882804,882900,883376,883518,883724,884333,884582,884725,884767,885262,885382,885422,885509,886840,887082,887503,887608,887645,887680,888058,888105,888591,888607,888847,888849,888968,889061,889173,889451,889614,889727,890297,890426,890513,890526,891087,891259,891619,892200,892490,892723,893064,893496,893596,894200 CVE References: CVE-2013-1979,CVE-2014-1739,CVE-2014-2706,CVE-2014-4027,CVE-2014-4171,CVE-2014-4508,CVE-2014-4667,CVE-2014-4943,CVE-2014-5077,CVE-2014-5471,CVE-2014-5472 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): kernel-bigsmp-3.0.101-0.40.1 SUSE Linux Enterprise Server 11 SP3 (src): iscsitarget-1.4.20-0.38.83, kernel-bigsmp-3.0.101-0.40.1, ofed-1.5.4.1-0.13.89, oracleasm-2.0.5-7.39.89 SUSE Linux Enterprise High Availability Extension 11 SP3 (src): cluster-network-1.4-2.27.98, drbd-kmp-8.4.4-0.22.64, gfs2-2-0.16.104, ocfs2-1.6-0.20.98 SUSE Linux Enterprise Desktop 11 SP3 (src): kernel-bigsmp-3.0.101-0.40.1 SLE 11 SERVER Unsupported Extras (src): kernel-bigsmp-3.0.101-0.40.1
SUSE-SU-2014:1319-1: An update that solves 13 vulnerabilities and has 75 fixes is now available. Category: security (important) Bug References: 774818,806990,816708,826486,832309,833820,849123,855657,859840,860441,860593,863586,866130,866615,866864,866911,869055,869934,870161,871134,871797,876017,876055,876114,876590,879304,879921,880344,880370,880892,881051,881759,882317,882639,882804,882900,883096,883376,883518,883724,884333,884582,884725,884767,885262,885382,885422,885509,886840,887082,887418,887503,887608,887645,887680,888058,888105,888591,888607,888847,888849,888968,889061,889173,889451,889614,889727,890297,890426,890513,890526,891087,891259,891281,891619,891746,892200,892490,892723,893064,893496,893596,894200,895221,895608,895680,895983,896689 CVE References: CVE-2013-1979,CVE-2014-1739,CVE-2014-2706,CVE-2014-3153,CVE-2014-4027,CVE-2014-4171,CVE-2014-4508,CVE-2014-4667,CVE-2014-4943,CVE-2014-5077,CVE-2014-5471,CVE-2014-5472,CVE-2014-6410 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): kernel-default-3.0.101-0.40.1, kernel-pae-3.0.101-0.40.1, kernel-source-3.0.101-0.40.1, kernel-syms-3.0.101-0.40.1, kernel-trace-3.0.101-0.40.1, kernel-xen-3.0.101-0.40.1 SUSE Linux Enterprise Server 11 SP3 (src): kernel-default-3.0.101-0.40.1, kernel-ec2-3.0.101-0.40.1, kernel-pae-3.0.101-0.40.1, kernel-ppc64-3.0.101-0.40.1, kernel-source-3.0.101-0.40.1, kernel-syms-3.0.101-0.40.1, kernel-trace-3.0.101-0.40.1, kernel-xen-3.0.101-0.40.1, xen-4.2.4_04-0.7.3 SUSE Linux Enterprise Real Time Extension 11 SP3 (src): cluster-network-1.4-2.27.99, drbd-kmp-8.4.4-0.22.65, iscsitarget-1.4.20-0.38.84, kernel-rt-3.0.101.rt130-0.28.1, kernel-rt_trace-3.0.101.rt130-0.28.1, kernel-source-rt-3.0.101.rt130-0.28.1, kernel-syms-rt-3.0.101.rt130-0.28.1, lttng-modules-2.1.1-0.11.75, ocfs2-1.6-0.20.99, ofed-1.5.4.1-0.13.90 SUSE Linux Enterprise High Availability Extension 11 SP3 (src): cluster-network-1.4-2.27.98, gfs2-2-0.16.104, ocfs2-1.6-0.20.98 SUSE Linux Enterprise Desktop 11 SP3 (src): kernel-default-3.0.101-0.40.1, kernel-pae-3.0.101-0.40.1, kernel-source-3.0.101-0.40.1, kernel-syms-3.0.101-0.40.1, kernel-trace-3.0.101-0.40.1, kernel-xen-3.0.101-0.40.1, xen-4.2.4_04-0.7.3 SLE 11 SERVER Unsupported Extras (src): kernel-default-3.0.101-0.40.1, kernel-pae-3.0.101-0.40.1, kernel-ppc64-3.0.101-0.40.1, kernel-xen-3.0.101-0.40.1
released
SUSE-SU-2015:0812-1: An update that fixes 39 vulnerabilities is now available. Category: security (important) Bug References: 677286,679812,681175,681999,683282,685402,687812,730118,730200,738400,758813,760902,769784,823260,846404,853040,854722,863335,874307,875051,880484,883223,883795,885422,891844,892490,896390,896391,896779,902346,907818,908382,910251,911325 CVE References: CVE-2011-1090,CVE-2011-1163,CVE-2011-1476,CVE-2011-1477,CVE-2011-1493,CVE-2011-1494,CVE-2011-1495,CVE-2011-1585,CVE-2011-4127,CVE-2011-4132,CVE-2011-4913,CVE-2011-4914,CVE-2012-2313,CVE-2012-2319,CVE-2012-3400,CVE-2012-6657,CVE-2013-2147,CVE-2013-4299,CVE-2013-6405,CVE-2013-6463,CVE-2014-0181,CVE-2014-1874,CVE-2014-3184,CVE-2014-3185,CVE-2014-3673,CVE-2014-3917,CVE-2014-4652,CVE-2014-4653,CVE-2014-4654,CVE-2014-4655,CVE-2014-4656,CVE-2014-4667,CVE-2014-5471,CVE-2014-5472,CVE-2014-9090,CVE-2014-9322,CVE-2014-9420,CVE-2014-9584,CVE-2015-2041 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): kernel-bigsmp-2.6.16.60-0.132.1, kernel-debug-2.6.16.60-0.132.1, kernel-default-2.6.16.60-0.132.1, kernel-kdump-2.6.16.60-0.132.1, kernel-kdumppae-2.6.16.60-0.132.1, kernel-smp-2.6.16.60-0.132.1, kernel-source-2.6.16.60-0.132.1, kernel-syms-2.6.16.60-0.132.1, kernel-vmi-2.6.16.60-0.132.1, kernel-vmipae-2.6.16.60-0.132.1, kernel-xen-2.6.16.60-0.132.1, kernel-xenpae-2.6.16.60-0.132.1