kernel: Linux local privilege escalation in compat_setsockopt (CVE-2016-4997)

This document (7017773) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12 LTSS (SLES 12 LTSS)

Situation

When processing an IPT_SO_SET_REPLACE setsockopt request made with the compat_setsockopt system call (which requires CONFIG_COMPAT=y and CONFIG_IP_NF_IPTABLES=m or CONFIG_IP_NF_IPTABLES=y), the kernel will alter arbitrary kernel memory through pointers provided by the caller (if CONFIG_MODULE_UNLOAD=y is configured). This can be leveraged to elevate privileges or to gain arbitrary code execution in the kernel.  This call requires root permissions, but can be invoked by an arbitrary user if CONFIG_USER_NS=y and CONFIG_NET_NS=y are enabled in the kernel.

Due to incomplete validation of target_offset values in check_compat_entry_size_and_hooks() in net/ipv4/netfilter/ip_tables.c, a critical offset can be corrupted. As a result, several important structures are referenced from unvalidated memory during error cleanup. These structures are meant to contain kernel-provided data, but a malicious user can provide these values. The result is that a malicious user can decrement arbitrary kernel integers when they are positive.

This vulnerability was introduced in the Linux kernel 3.8, which means only SUSE Linux Enterprise 12 and newer are affected.

Resolution

SUSE has released the following patches:
SLES 12 SP1
  • kernel-default-3.12.59-60.45.2
  • release date 30th of June 2016
SLES 12
  • kernel-default-3.12.60-52.54.2
  • release date 30th of June 2016

Cause


Additional Information

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7017773
  • Creation Date: 24-Jun-2016
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center