Bug 917274 (CVE-2015-1573)

Summary: VUL-0: CVE-2015-1573: kernel: panic while flushing nftables rules that reference deleted chains.
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED UPSTREAM QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: bpetkov, mhocko, mkubecek, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/113712/
Whiteboard: CVSSv2:RedHat:CVE-2015-1573:2.4:(AV:L/AC:H/Au:S/C:P/I:P/A:N) CVSSv2:NVD:CVE-2015-1573:4.9:(AV:L/AC:L/Au:N/C:N/I:N/A:C)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2015-02-11 08:21:25 UTC 
rh#1190966

A flaw was found in the nft_flush_table function in the Linux kernel netfilter tables implementation.  The kernel would panic if it was commanded to flush rules referencing chains that had already been deleted. 

A local attacker with the CAP_NET_ADMIN capability could use this to panic (denial of service) a system if they were able to flush an effected chain.

Docker images with "root" permissions are not granted this capability by default.  Systems with privileged containers (started with docker run -privileged .. ) will be able to expose the system to this condition allowing the defect to be exploited.

Fix: http://git.kernel.org/cgit/linux/kernel/git/pablo/nf.git/commit/?id=a2f18db0c68fec96631c10cad9384c196e9008ac

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1190966
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1573
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1573.html
Comment 1 Swamp Workflow Management 2015-02-11 23:00:15 UTC 
bugbot adjusting priority
Comment 2 Borislav Petkov 2015-04-08 09:51:53 UTC 
Michal, can you please take a look.
Comment 3 Michal Kubeček 2015-04-08 10:16:51 UTC 
As nftables were added in mainline 3.13 and were not backported to SLE12,
this should only affect openSUSE 13.2 (the fix is in 3.19-rc5 and Factory
already has 3.19.3). I'll check if 13.2 is really affected and prepare
a backport if it is.
Comment 4 Michal Kubeček 2015-05-14 12:56:16 UTC 
After some unsuccessful attempts to reproduce the issue, I checked the code.
Apparently the buggy code (and, actually, the ability to flush the entire
table (not only rules in it) wasn't added until v3.18-rc1. Therefore none
of our kernels is curently vulnerable (master/stable are already fixed and
released SLE/openSUSE kernels never were).

Reassigning back to the Security team.
Comment 5 Marcus Meissner 2016-01-22 08:14:38 UTC 
is only upstream