ID CVE-2016-3156
Summary The IPv4 implementation in the Linux kernel before 4.5.2 mishandles destruction of device objects, which allows guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses.
References
Vulnerable Configurations
  • cpe:2.3:o:novell:suse_linux_enterprise_debuginfo:11.0:sp4
    cpe:2.3:o:novell:suse_linux_enterprise_debuginfo:11.0:sp4
  • Novell SUSE Linux Enterprise Desktop 12.0
    cpe:2.3:o:novell:suse_linux_enterprise_desktop:12.0
  • cpe:2.3:o:novell:suse_linux_enterprise_live_patching:12.0
    cpe:2.3:o:novell:suse_linux_enterprise_live_patching:12.0
  • cpe:2.3:o:novell:suse_linux_enterprise_module_for_public_cloud:12.0
    cpe:2.3:o:novell:suse_linux_enterprise_module_for_public_cloud:12.0
  • cpe:2.3:o:novell:suse_linux_enterprise_real_time_extension:11.0:sp4
    cpe:2.3:o:novell:suse_linux_enterprise_real_time_extension:11.0:sp4
  • cpe:2.3:o:novell:suse_linux_enterprise_real_time_extension:12.0:sp1
    cpe:2.3:o:novell:suse_linux_enterprise_real_time_extension:12.0:sp1
  • cpe:2.3:o:novell:suse_linux_enterprise_server:11.0:extra
    cpe:2.3:o:novell:suse_linux_enterprise_server:11.0:extra
  • cpe:2.3:o:novell:suse_linux_enterprise_server:11.0:sp4
    cpe:2.3:o:novell:suse_linux_enterprise_server:11.0:sp4
  • Novell SUSE Linux Enterprise Server 12.0
    cpe:2.3:o:novell:suse_linux_enterprise_server:12.0
  • Novell SUSE Linux Enterprise Software Development Kit 11.0 Service Pack 4
    cpe:2.3:o:novell:suse_linux_enterprise_software_development_kit:11.0:sp4
  • cpe:2.3:o:novell:suse_linux_enterprise_software_development_kit:12.0
    cpe:2.3:o:novell:suse_linux_enterprise_software_development_kit:12.0
  • cpe:2.3:o:novell:suse_linux_enterprise_workstation_extension:12.0
    cpe:2.3:o:novell:suse_linux_enterprise_workstation_extension:12.0
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
  • Linux Kernel 4.5.1
    cpe:2.3:o:linux:linux_kernel:4.5.1
CVSS
Base: 2.1 (as of 26-08-2016 - 14:49)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-3A57B19360.NASL
    description The 4.4.6 update contains a number of important fixes across the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 90131
    published 2016-03-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90131
    title Fedora 22 : kernel-4.4.6-200.fc22 (2016-3a57b19360)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3596.NASL
    description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen 2019-02-21
    modified 2016-10-19
    plugin id 93148
    published 2016-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93148
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3596)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1076.NASL
    description The openSUSE Leap 42.1 kernel was updated to 4.1.31 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of unread data in pipes, which allowed local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes (bnc#970948). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126). - CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandled destruction of device objects, which allowed guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses (bnc#971360). - CVE-2016-4485: The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel did not initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory by reading a message (bnc#978821). - CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2016-4557: The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel did not properly maintain an fd data structure, which allowed local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor (bnc#979018). - CVE-2016-4580: The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request (bnc#981267). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371). - CVE-2016-4951: The tipc_nl_publ_dump function in net/tipc/socket.c in the Linux kernel did not verify socket existence, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a dumpit operation (bnc#981058). - CVE-2015-8787: The nf_nat_redirect_ipv4 function in net/netfilter/nf_nat_redirect.c in the Linux kernel allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by sending certain IPv4 packets to an incompletely configured interface, a related issue to CVE-2003-1604 (bnc#963931). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213). - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879). - CVE-2016-6828: A use after free in tcp_xmit_retransmit_queue() was fixed that could be used by local attackers to crash the kernel (bsc#994296). - CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a 'double fetch' vulnerability (bnc#991608). - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bnc#986362 986365 990058). - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack (bnc#989152). - CVE-2016-1237: nfsd in the Linux kernel allowed local users to bypass intended file-permission restrictions by setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c, and nfs4acl.c (bnc#986570). The following non-security bugs were fixed : - AF_VSOCK: Shrink the area influenced by prepare_to_wait (bsc#994520). - KVM: arm/arm64: Handle forward time correction gracefully (bnc#974266). - Linux 4.1.29. Refreshed patch: patches.xen/xen3-fixup-xen Deleted patches: patches.fixes/0001-Revert-ecryptfs-forbid-opening-files- without-mmap-ha.patch patches.fixes/0001-ecryptfs-don-t-allow-mmap-when-the-lo wer-file-system.patch patches.rpmify/Revert-mm-swap.c-flush-lru-pvecs-on-compo und-page-ar patches.rpmify/Revert-powerpc-Update-TM-user-feature-bit s-in-scan_f - Revert 'mm/swap.c: flush lru pvecs on compound page arrival' (boo#989084). - Revert 'powerpc: Update TM user feature bits in scan_features()'. Fix the build error of 4.1.28 on ppc. - Revive i8042_check_power_owner() for 4.1.31 kabi fix. - USB: OHCI: Do not mark EDs as ED_OPER if scheduling fails (bnc#987886). - USB: validate wMaxPacketValue entries in endpoint descriptors (bnc#991665). - Update patches.fixes/0002-nfsd-check-permissions-when-setting-A CLs.patch (bsc#986570 CVE-2016-1237). - Update patches.fixes/0001-posix_acl-Add-set_posix_acl.patch (bsc#986570 CVE-2016-1237). - netfilter: x_tables: fix 4.1 stable backport (bsc#989176). - nfsd: check permissions when setting ACLs (bsc#986570). - posix_acl: Add set_posix_acl (bsc#986570). - ppp: defer netns reference release for ppp channel (bsc#980371). - series.conf: Move a kABI patch to its own section - supported.conf: enable i2c-designware driver (bsc#991110) - tcp: enable per-socket rate limiting of all 'challenge acks' (bsc#989152).
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 93445
    published 2016-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93445
    title openSUSE Security Update : the Linux Kernel (openSUSE-2016-1076)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3607.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2015-7515, CVE-2016-2184, CVE-2016-2185, CVE-2016-2186, CVE-2016-2187, CVE-2016-3136, CVE-2016-3137, CVE-2016-3138, CVE-2016-3140 Ralf Spenneberg of OpenSource Security reported that various USB drivers do not sufficiently validate USB descriptors. This allowed a physically present user with a specially designed USB device to cause a denial of service (crash). - CVE-2016-0821 Solar Designer noted that the list 'poisoning' feature, intended to mitigate the effects of bugs in list manipulation in the kernel, used poison values within the range of virtual addresses that can be allocated by user processes. - CVE-2016-1237 David Sinquin discovered that nfsd does not check permissions when setting ACLs, allowing users to grant themselves permissions to a file by setting the ACL. - CVE-2016-1583 Jann Horn of Google Project Zero reported that the eCryptfs filesystem could be used together with the proc filesystem to cause a kernel stack overflow. If the ecryptfs-utils package is installed, local users could exploit this, via the mount.ecryptfs_private program, for denial of service (crash) or possibly for privilege escalation. - CVE-2016-2117 Justin Yackoski of Cryptonite discovered that the Atheros L2 ethernet driver incorrectly enables scatter/gather I/O. A remote attacker could take advantage of this flaw to obtain potentially sensitive information from kernel memory. - CVE-2016-2143 Marcin Koscielnicki discovered that the fork implementation in the Linux kernel on s390 platforms mishandles the case of four page-table levels, which allows local users to cause a denial of service (system crash). - CVE-2016-3070 Jan Stancek of Red Hat discovered a local denial of service vulnerability in AIO handling. - CVE-2016-3134 The Google Project Zero team found that the netfilter subsystem does not sufficiently validate filter table entries. A user with the CAP_NET_ADMIN capability could use this for denial of service (crash) or possibly for privilege escalation. Debian disables unprivileged user namespaces by default, if locally enabled with the kernel.unprivileged_userns_clone sysctl, this allows privilege escalation. - CVE-2016-3156 Solar Designer discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. - CVE-2016-3157 / XSA-171 Andy Lutomirski discovered that the x86_64 (amd64) task switching implementation did not correctly update the I/O permission level when running as a Xen paravirtual (PV) guest. In some configurations this would allow local users to cause a denial of service (crash) or to escalate their privileges within the guest. - CVE-2016-3672 Hector Marco and Ismael Ripoll noted that it was possible to disable Address Space Layout Randomisation (ASLR) for x86_32 (i386) programs by removing the stack resource limit. This made it easier for local users to exploit security flaws in programs that have the setuid or setgid flag set. - CVE-2016-3951 It was discovered that the cdc_ncm driver would free memory prematurely if certain errors occurred during its initialisation. This allowed a physically present user with a specially designed USB device to cause a denial of service (crash) or possibly to escalate their privileges. - CVE-2016-3955 Ignat Korchagin reported that the usbip subsystem did not check the length of data received for a USB buffer. This allowed denial of service (crash) or privilege escalation on a system configured as a usbip client, by the usbip server or by an attacker able to impersonate it over the network. A system configured as a usbip server might be similarly vulnerable to physically present users. - CVE-2016-3961 / XSA-174 Vitaly Kuznetsov of Red Hat discovered that Linux allowed the use of hugetlbfs on x86 (i386 and amd64) systems even when running as a Xen paravirtualised (PV) guest, although Xen does not support huge pages. This allowed users with access to /dev/hugepages to cause a denial of service (crash) in the guest. - CVE-2016-4470 David Howells of Red Hat discovered that a local user can trigger a flaw in the Linux kernel's handling of key lookups in the keychain subsystem, leading to a denial of service (crash) or possibly to privilege escalation. - CVE-2016-4482, CVE-2016-4485, CVE-2016-4486, CVE-2016-4569, CVE-2016-4578, CVE-2016-4580, CVE-2016-5243, CVE-2016-5244 Kangjie Lu reported that the USB devio, llc, rtnetlink, ALSA timer, x25, tipc, and rds facilities leaked information from the kernel stack. - CVE-2016-4565 Jann Horn of Google Project Zero reported that various components in the InfiniBand stack implemented unusual semantics for the write() operation. On a system with InfiniBand drivers loaded, local users could use this for denial of service or privilege escalation. - CVE-2016-4581 Tycho Andersen discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local user can take advantage of this flaw to cause a denial of service (system crash). - CVE-2016-4805 Baozeng Ding discovered a use-after-free in the generic PPP layer in the Linux kernel. A local user can take advantage of this flaw to cause a denial of service (system crash), or potentially escalate their privileges. - CVE-2016-4913 Al Viro found that the ISO9660 filesystem implementation did not correctly count the length of certain invalid name entries. Reading a directory containing such name entries would leak information from kernel memory. Users permitted to mount disks or disk images could use this to obtain sensitive information. - CVE-2016-4997 / CVE-2016-4998 Jesse Hertz and Tim Newsham discovered that missing input sanitising in Netfilter socket handling may result in denial of service. Debian disables unprivileged user namespaces by default, if locally enabled with the kernel.unprivileged_userns_clone sysctl, this also allows privilege escalation.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91886
    published 2016-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91886
    title Debian DSA-3607-1 : linux - security update
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-694.NASL
    description An integer overflow vulnerability was found in xt_alloc_table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption. (CVE-2016-3135) In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset. (CVE-2016-3134) A weakness was found in the Linux ASLR implementation. Any user able to run 32-bit applications in a x86 machine can disable the ASLR by setting the RLIMIT_STACK resource to unlimited. (CVE-2016-3672) Destroying a network interface with a large number of IPv4 addresses keeps a rtnl_lock for a very long time, which can block many network-related operations. (CVE-2016-3156) A use-after-free vulnerability was found in the kernel's socket recvmmsg subsystem. This may allow remote attackers to corrupt memory and may allow execution of arbitrary code. This corruption takes place during the error handling routines within __sys_recvmmsg() function. (CVE-2016-7117) (Updated on 2017-01-19: CVE-2016-7117 was fixed in this release but was previously not part of this errata.)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 90778
    published 2016-04-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90778
    title Amazon Linux AMI : kernel (ALAS-2016-694)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-518.NASL
    description