Bug 927780 (CVE-2014-9715) - VUL-0: CVE-2014-9715: kernel: netfilter connection tracking extensions denial of service
Summary: VUL-0: CVE-2014-9715: kernel: netfilter connection tracking extensions denial...
Status: RESOLVED FIXED
Alias: CVE-2014-9715
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/115632/
Whiteboard: CVSSv2:NVD:CVE-2014-9715:4.9:(AV:L/AC...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-20 08:19 UTC by Andreas Stieger
Modified: 2016-04-27 19:37 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-20 08:19:37 UTC 
Via RedHat"

Nathan Hoad reported that RHEL-7's kernel is affected by a netfilter NULL
pointer dereference that was fixed upstream on Linux 3.15.

A flaw was found in the method which the kernel handles netfilter connection tracking accounting.  The values stored the size of the extensions loaded, in some cases this may be all extensions and overflowing the len value.  The work-around solution was to modify the size of the value to accommodate the possibility of all extensions being loaded.

A user behind the NAT could potentially craft a sequence of packets to load extensions and to create a denial of service by crashing the system.

References:
http://marc.info/?l=netfilter-devel&m=140112364215200&w=2

The flaw was introduced on Linux 3.6 and fixed on 3.15, so Current Fedora
kernels are not affected. RHEL-5 and RHEL-6 kernels are also not affected.

Upstream fix:
-------------
 -> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=223b02d923ecd7c84cf9780bb3686f455d279279

References:
-----------
 -> http://marc.info/?l=netfilter-devel&m=140112364215200&w=2
 -> https://bugzilla.redhat.com/show_bug.cgi?id=1206164
 -> http://www.openwall.com/lists/oss-security/2015/04/08/1

Possible mitigation:
--------------------

Connection tracking accounting can be disabled at run time via a sysctl setting.


Runtime change:

This can be changed during runtime by running the following commands:

# echo 0 > /proc/sys/net/netfilter/nf_conntrack_acct

Persistent change:

To make this behaviour persistent across reboots, modify /etc/sysctl.conf and make the following change prior to reboot:

net.netfilter.nf_conntrack_acct = 0


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1208684
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9715
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9715.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9715
Comment 1 Andreas Stieger 2015-04-20 08:21:54 UTC 
affected: SLE 12, openSUSE 13.2, openSUSE 13.1.
Comment 2 Swamp Workflow Management 2015-04-20 22:00:25 UTC 
bugbot adjusting priority
Comment 3 Borislav Petkov 2015-04-24 11:45:12 UTC 
SLE12: patch is already there:

$ grep 223b02d923ecd7c84cf9780bb3686f455d279279 patches.kernel.org/patch-3.12.20-21
Git-commit: 223b02d923ecd7c84cf9780bb3686f455d279279

oS13.1: backported
b630d53dd44f..a71522837151  openSUSE-13.1 -> openSUSE-13.1

oS13.2: has it:

$ git describe 223b02d923ecd7c84cf9780bb3686f455d279279
v3.14-7268-g223b02d923ec
Comment 4 Swamp Workflow Management 2016-02-01 15:17:48 UTC 
openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075
CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1
Comment 5 Marcus Meissner 2016-03-23 08:29:32 UTC 
released