Bug 928135 (CVE-2015-3332)

Summary: VUL-1: CVE-2015-3332: kernel: TCP Fast Open local DoS
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: meissner, mhocko, mkubecek, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/116131/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patch from http://www.spinics.net/lists/netdev/msg325602.html

Description Andreas Stieger 2015-04-22 09:19:11 UTC 
Created attachment 631932 [details]
patch from  http://www.spinics.net/lists/netdev/msg325602.html

via rh#1213951

Linux kernel built with the IPv4 networking support(CONFIG_NET) is vulnerable to a DoS flaw. It could occur while using TCP Fast open option when initiating a network connection. This issue is a regression caused by upstream commit '355a901e6cf1', when it was back-ported to older 3.10.y - 3.16.y branches.

(355a901e6cf1b2b763ec85caa2a9f04fbcc4ab4a)

An unprivileged local user could use this flaw to crash the system resulting in DoS.

Upstream fix:
-------------
  -> http://www.spinics.net/lists/netdev/msg325602.html

References:
-----------
  -> http://www.openwall.com/lists/oss-security/2015/04/18/2
  -> https://bugs.debian.org/782515



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1213951
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3332
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3332.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3332
Comment 1 Michal Hocko 2015-04-22 15:51:09 UTC 
None of the TD branches has a backport of 355a901e6cf1 so they are not affected.
Comment 2 Swamp Workflow Management 2015-04-22 22:00:49 UTC 
bugbot adjusting priority
Comment 3 Michal Kubeček 2015-05-15 16:42:01 UTC 
The only affected kernel of ours was SLE12 which got the offending commit
with 3.12.40 stable update but it also got the fix with 3.12.41 stable update
(so that the maintenance update currently in progress is OK).

Neither openSUSE-13.1 nor openSUSE-13.2 have the original backport so that
they are not affected. And mainline was never affected so that Factory is
also clean.

So I guess all we need is to update the references in
patches.kernel.org/patch-3.12.40-41
Comment 4 Michal Kubeček 2015-05-15 16:59:55 UTC 
SLE12 patches.kernel.org/patch-3.12.40-41 references updated. Reassigning
back to the Security team.

For the sake of completeness: TCP Fast open implementation was introduced
in kernel 3.6 and was never backported into SLE11 or older.
Comment 5 Swamp Workflow Management 2015-06-16 12:11:29 UTC 
SUSE-SU-2015:1071-1: An update that solves 13 vulnerabilities and has 31 fixes is now available.

Category: security (important)
Bug References: 899192,900881,909312,913232,914742,915540,916225,917125,919007,919018,920262,921769,922583,922734,922944,924664,924803,924809,925567,926156,926240,926314,927084,927115,927116,927257,927285,927308,927455,928122,928130,928135,928141,928708,929092,929145,929525,929883,930224,930226,930669,930786,931014,931130
CVE References: CVE-2014-3647,CVE-2014-8086,CVE-2014-8159,CVE-2015-1465,CVE-2015-2041,CVE-2015-2042,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3332,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.43-52.6.2, kernel-obs-build-3.12.43-52.6.2
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.43-52.6.1, kernel-syms-3.12.43-52.6.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_5-1-2.3
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.43-52.6.1, kernel-syms-3.12.43-52.6.1
Comment 6 Marcus Meissner 2015-09-04 15:11:04 UTC 
all fixed