Bug 960561 (CVE-2015-8709)

Summary: VUL-0: CVE-2015-8709: kernel: ptrace: potential privilege escalation in user namespaces
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Neil Brown <nfbrown>
Status: RESOLVED DUPLICATE QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: bpetkov, mbenes, mhocko, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/160225/
Whiteboard: CVSSv2:SUSE:CVE-2015-8709:6.0:(AV:L/AC:H/Au:S/C:C/I:C/A:C)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 960563    
Bug Blocks:    

Description Johannes Segitz 2016-01-04 11:26:09 UTC 
rh#1295287

Linux kernel built with the User Namespaces(CONFIG_USER_NS) support is
vulnerable to a potential privilege escalation flaw. It could occur when a
root owned process tries to enter a user namespace, wherein a user attempts
to attach the entering process via ptrace(1).

A privileged name space user could use this flaw to potentially escalate their
privileges on the system.

References:
https://lkml.org/lkml/2015/12/25/71
https://bugzilla.redhat.com/show_bug.cgi?id=1295287
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8709
http://seclists.org/oss-sec/2015/q4/614
Comment 1 Swamp Workflow Management 2016-01-04 23:00:12 UTC 
bugbot adjusting priority
Comment 2 Michal Hocko 2016-01-05 08:42:58 UTC 
User namespaces is not enabled in the TD kernels so they are not affected
Comment 6 Neil Brown 2016-01-29 01:08:04 UTC 
I'm inclined to wait until the patch gets to mainline.

The scenario seems to be that if a privilege process does a fairly risky and questionable thing, then it could be subverted.
While the proposed patch probably closes one subversion path effectively, it is probably the sort of thing that shouldn't be tried anyway.

So a site will only be vulnerable if a sysadmin tries to do something they probably shouldn't, and this fix won't necessarily protect them.

If/when the patch goes upstream it would be justifiable to include it in SLE, but until then I don't think we have any real exposure.

If it doesn't go upstream by 4.6-rc1 I'll re-visit the issue.
Comment 7 Neil Brown 2016-02-18 06:30:36 UTC 
Fix has been committed for all SLE-12 kernels: bug 959709

*** This bug has been marked as a duplicate of bug 959709 ***
Comment 9 Swamp Workflow Management 2016-03-16 14:20:32 UTC 
SUSE-SU-2016:0785-1: An update that solves 10 vulnerabilities and has 66 fixes is now available.

Category: security (important)
Bug References: 812259,816099,855062,867583,884701,899908,922071,937444,940338,940946,941363,943989,945219,947953,949752,950292,951155,955308,955654,956084,956514,957525,957986,959090,959146,959257,959463,959629,959709,960174,960227,960458,960561,960629,961257,961500,961509,961516,961588,961658,961971,962336,962356,962788,962965,963193,963449,963572,963746,963765,963767,963825,963960,964201,964730,965199,965344,965830,965840,965891,966026,966094,966278,966437,966471,966693,966864,966910,967802,968018,968074,968206,968230,968234,968253,969112
CVE References: CVE-2013-7446,CVE-2015-5707,CVE-2015-8709,CVE-2015-8767,CVE-2015-8785,CVE-2015-8812,CVE-2016-0723,CVE-2016-0774,CVE-2016-2069,CVE-2016-2384
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    kernel-default-3.12.55-52.42.1
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.55-52.42.2, kernel-obs-build-3.12.55-52.42.2
SUSE Linux Enterprise Server 12 (src):    kernel-default-3.12.55-52.42.1, kernel-source-3.12.55-52.42.1, kernel-syms-3.12.55-52.42.1, kernel-xen-3.12.55-52.42.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.55-52.42.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_12-1-2.1
SUSE Linux Enterprise Desktop 12 (src):    kernel-default-3.12.55-52.42.1, kernel-source-3.12.55-52.42.1, kernel-syms-3.12.55-52.42.1, kernel-xen-3.12.55-52.42.1
Comment 10 Swamp Workflow Management 2016-04-12 10:13:14 UTC 
openSUSE-SU-2016:1008-1: An update that solves 15 vulnerabilities and has 26 fixes is now available.

Category: security (important)
Bug References: 814440,884701,949936,951440,951542,951626,951638,953527,954018,954404,954405,954876,958439,958463,958504,959709,960561,960563,960710,961263,961500,961509,962257,962866,962977,963746,963765,963767,963931,965125,966137,966179,966259,966437,966684,966693,968018,969356,969582,970845,971125
CVE References: CVE-2015-1339,CVE-2015-7799,CVE-2015-7872,CVE-2015-7884,CVE-2015-8104,CVE-2015-8709,CVE-2015-8767,CVE-2015-8785,CVE-2015-8787,CVE-2015-8812,CVE-2016-0723,CVE-2016-2069,CVE-2016-2184,CVE-2016-2383,CVE-2016-2384
Sources used:
openSUSE Leap 42.1 (src):    kernel-debug-4.1.20-11.1, kernel-default-4.1.20-11.1, kernel-docs-4.1.20-11.3, kernel-ec2-4.1.20-11.1, kernel-obs-build-4.1.20-11.2, kernel-obs-qa-4.1.20-11.1, kernel-obs-qa-xen-4.1.20-11.1, kernel-pae-4.1.20-11.1, kernel-pv-4.1.20-11.1, kernel-source-4.1.20-11.1, kernel-syms-4.1.20-11.1, kernel-vanilla-4.1.20-11.1, kernel-xen-4.1.20-11.1
Comment 11 Swamp Workflow Management 2016-04-12 19:13:31 UTC 
SUSE-SU-2016:1019-1: An update that solves 9 vulnerabilities and has 70 fixes is now available.

Category: security (important)
Bug References: 816099,867251,875631,880007,943645,944749,945219,949752,955308,956084,956852,957986,959146,959257,959463,959709,960174,960458,960561,960629,961257,961500,961516,961588,961658,963193,963746,963765,963827,963960,964201,964730,965087,965199,965830,965891,965924,966026,966094,966278,966437,966471,966693,966831,966864,966910,967047,967292,967299,967650,967651,967802,967903,968010,968018,968074,968141,968206,968230,968234,968253,968448,968512,968643,968670,969112,969439,969571,969655,969690,969735,969992,969993,970062,970160,970249,970909,971125,971360
CVE References: CVE-2015-8709,CVE-2015-8812,CVE-2015-8816,CVE-2016-2143,CVE-2016-2184,CVE-2016-2384,CVE-2016-2782,CVE-2016-3139,CVE-2016-3156
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    kernel-default-3.12.57-60.35.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    kernel-docs-3.12.57-60.35.3, kernel-obs-build-3.12.57-60.35.1
SUSE Linux Enterprise Server 12-SP1 (src):    kernel-default-3.12.57-60.35.1, kernel-source-3.12.57-60.35.1, kernel-syms-3.12.57-60.35.1, kernel-xen-3.12.57-60.35.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.57-60.35.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP1_Update_4-1-2.3
SUSE Linux Enterprise Desktop 12-SP1 (src):    kernel-default-3.12.57-60.35.1, kernel-source-3.12.57-60.35.1, kernel-syms-3.12.57-60.35.1, kernel-xen-3.12.57-60.35.1
Comment 12 Swamp Workflow Management 2016-07-08 15:12:52 UTC 
SUSE-SU-2016:1764-1: An update that solves 26 vulnerabilities and has 95 fixes is now available.

Category: security (important)
Bug References: 880007,889207,899908,903279,908151,931448,937086,940413,942262,943645,943989,945219,956084,956852,957986,957988,957990,959146,959514,959709,960174,960561,960629,961500,961512,961658,962336,962872,963193,963572,963746,963765,963827,963960,964201,964461,965087,965153,965199,965319,965830,965924,966054,966094,966437,966471,966573,966693,966831,966864,966910,967047,967251,967292,967299,967650,967651,967802,967903,968010,968018,968074,968141,968206,968230,968234,968253,968448,968497,968512,968643,968670,968687,968812,968813,969112,969439,969571,969655,969690,969735,969992,969993,970062,970160,970504,970604,970609,970892,970909,970911,970948,970955,970956,970958,970970,971124,971125,971126,971159,971170,971360,971600,971628,972003,972068,972174,972780,972844,972891,972951,973378,973556,973855,974406,974418,975371,975488,975772,975945,980246
CVE References: CVE-2015-7566,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8709,CVE-2015-8785,CVE-2015-8812,CVE-2015-8816,CVE-2016-0723,CVE-2016-2143,CVE-2016-2184,CVE-2016-2185,CVE-2016-2186,CVE-2016-2188,CVE-2016-2384,CVE-2016-2782,CVE-2016-3134,CVE-2016-3136,CVE-2016-3137,CVE-2016-3138,CVE-2016-3139,CVE-2016-3140,CVE-2016-3156,CVE-2016-3689,CVE-2016-3707,CVE-2016-3951
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP1 (src):    kernel-compute-3.12.58-14.1, kernel-compute_debug-3.12.58-14.1, kernel-rt-3.12.58-14.1, kernel-rt_debug-3.12.58-14.1, kernel-source-rt-3.12.58-14.1, kernel-syms-rt-3.12.58-14.1
Comment 13 Swamp Workflow Management 2016-08-24 13:10:49 UTC 
openSUSE-SU-2016:2144-1: An update that solves 53 vulnerabilities and has 28 fixes is now available.

Category: security (important)
Bug References: 901754,941113,942702,945219,955654,957052,957988,959709,960561,961512,963762,963765,966245,966437,966693,966849,967972,967973,967974,967975,968010,968011,968012,968013,968018,968670,969354,969355,970114,970275,970892,970909,970911,970948,970955,970956,970958,970970,971124,971125,971126,971360,971628,971799,971919,971944,972174,973378,973570,974308,974418,974646,975945,978401,978445,978469,978821,978822,979021,979213,979548,979867,979879,979913,980348,980363,980371,980725,981267,982706,983143,983213,984464,984755,984764,986362,986365,986377,986572,986573,986811
CVE References: CVE-2012-6701,CVE-2013-7446,CVE-2014-9904,CVE-2015-3288,CVE-2015-6526,CVE-2015-7566,CVE-2015-8709,CVE-2015-8785,CVE-2015-8812,CVE-2015-8816,CVE-2015-8830,CVE-2016-0758,CVE-2016-1583,CVE-2016-2053,CVE-2016-2184,CVE-2016-2185,CVE-2016-2186,CVE-2016-2187,CVE-2016-2188,CVE-2016-2384,CVE-2016-2543,CVE-2016-2544,CVE-2016-2545,CVE-2016-2546,CVE-2016-2547,CVE-2016-2548,CVE-2016-2549,CVE-2016-2782,CVE-2016-2847,CVE-2016-3134,CVE-2016-3136,CVE-2016-3137,CVE-2016-3138,CVE-2016-3139,CVE-2016-3140,CVE-2016-3156,CVE-2016-3672,CVE-2016-3689,CVE-2016-3951,CVE-2016-4470,CVE-2016-4482,CVE-2016-4485,CVE-2016-4486,CVE-2016-4565,CVE-2016-4569,CVE-2016-4578,CVE-2016-4580,CVE-2016-4581,CVE-2016-4805,CVE-2016-4913,CVE-2016-4997,CVE-2016-5244,CVE-2016-5829
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.20.3, cloop-2.639-14.20.3, crash-7.0.8-20.3, hdjmod-1.28-18.21.3, ipset-6.23-20.3, kernel-debug-3.16.7-42.1, kernel-default-3.16.7-42.1, kernel-desktop-3.16.7-42.1, kernel-docs-3.16.7-42.2, kernel-ec2-3.16.7-42.1, kernel-obs-build-3.16.7-42.2, kernel-obs-qa-3.16.7-42.1, kernel-obs-qa-xen-3.16.7-42.1, kernel-pae-3.16.7-42.1, kernel-source-3.16.7-42.1, kernel-syms-3.16.7-42.1, kernel-vanilla-3.16.7-42.1, kernel-xen-3.16.7-42.1, pcfclock-0.44-260.20.2, vhba-kmp-20140629-2.20.2, virtualbox-5.0.20-48.5, xen-4.4.4_02-46.2, xtables-addons-2.6-22.3
Comment 14 Swamp Workflow Management 2017-02-13 20:26:25 UTC 
openSUSE-SU-2017:0456-1: An update that solves 11 vulnerabilities and has 98 fixes is now available.

Category: security (important)
Bug References: 1000092,1000619,1003077,1003253,1005918,1006469,1006472,1007729,1008742,1009546,1009674,1009718,1009911,1009969,1010612,1010690,1011176,1011250,1011602,1011660,1011913,1012422,1012829,1012910,1013000,1013001,1013273,1013531,1013540,1013542,1013792,1013994,1014120,1014392,1014410,1014701,1014710,1015038,1015212,1015359,1015367,1015416,1015840,1016250,1016403,1016517,1016884,1016979,1017164,1017170,1017410,1017589,1018100,1018316,1018358,1018385,1018446,1018813,1018913,1019061,1019148,1019260,1019351,1019594,1019630,1019631,1019784,1019851,1020214,1020488,1020602,1020685,1020817,1020945,1020975,1021248,1021251,1021258,1021260,1021294,1021455,1021474,1022304,1022429,1022476,1022547,1022559,1022971,1023101,1023175,921494,959709,960561,964944,966170,966172,966186,966191,969474,969475,969756,971975,974215,979378,981709,985561,987192,987576,991273
CVE References: CVE-2015-8709,CVE-2016-7117,CVE-2016-8645,CVE-2016-9793,CVE-2016-9806,CVE-2016-9919,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551,CVE-2017-5576,CVE-2017-5577
Sources used:
openSUSE Leap 42.2 (src):    kernel-debug-4.4.46-11.1, kernel-default-4.4.46-11.1, kernel-docs-4.4.46-11.3, kernel-obs-build-4.4.46-11.1, kernel-obs-qa-4.4.46-11.1, kernel-source-4.4.46-11.1, kernel-syms-4.4.46-11.1, kernel-vanilla-4.4.46-11.1