Bug 980246 (CVE-2016-3707)

Summary: VUL-0: CVE-2016-3707: kernel-rt: Sending SysRq command via ICMP echo request
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bpetkov, meissner, mgalbraith, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/169145/
Whiteboard: CVSSv2:RedHat:CVE-2016-3707:7.1:(AV:N/AC:M/Au:N/C:N/I:N/A:C)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2016-05-17 06:44:29 UTC 
rh#1327484

A flaw was found in the kernel-rt in which an attacker could submit a specially crafted ICMP echo request which can trigger a sysrq function based on values in the ICMP packet.

This feature was introduced in the kernel-rt only and is not shipping with standard Red Hat Enterprise Linux kernels.

Remote attacker could exploit this feature using bruteforce to submit arbitrary SysRq commands.

Resources:
https://www.kernel.org/pub/linux/kernel/projects/rt/4.4/patch-4.4.7-rt16.patch.gz

Upstream discussion:
https://lwn.net/Articles/448790/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1327484
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3707
http://seclists.org/oss-sec/2016/q2/349
https://www.kernel.org/pub/linux/kernel/projects/rt/4.4/patch-4.4.7-rt16.patch.gz
Comment 1 Swamp Workflow Management 2016-05-17 22:00:15 UTC 
bugbot adjusting priority
Comment 4 Marcus Meissner 2016-05-23 15:30:13 UTC 
well.

SLE11-SP4-RT:
patches.rt/0287-ping-sysrq.patch

SLE12-SP1-RT:
patches.rt/ping-sysrq.patch
Comment 6 Mike Galbraith 2016-05-24 09:37:15 UTC 
(In reply to Marcus Meissner from comment #4)
> well.
> 
> SLE11-SP4-RT:
> patches.rt/0287-ping-sysrq.patch
> 
> SLE12-SP1-RT:
> patches.rt/ping-sysrq.patch

Patch has now been removed from all SLERT branches.  SLE11-SP4-RT and SLE12-SP2-RT pushed, SLE12-SP1-RT is committed, but not yet pushed, work pending.
Comment 7 Swamp Workflow Management 2016-07-08 15:28:45 UTC 
SUSE-SU-2016:1764-1: An update that solves 26 vulnerabilities and has 95 fixes is now available.

Category: security (important)
Bug References: 880007,889207,899908,903279,908151,931448,937086,940413,942262,943645,943989,945219,956084,956852,957986,957988,957990,959146,959514,959709,960174,960561,960629,961500,961512,961658,962336,962872,963193,963572,963746,963765,963827,963960,964201,964461,965087,965153,965199,965319,965830,965924,966054,966094,966437,966471,966573,966693,966831,966864,966910,967047,967251,967292,967299,967650,967651,967802,967903,968010,968018,968074,968141,968206,968230,968234,968253,968448,968497,968512,968643,968670,968687,968812,968813,969112,969439,969571,969655,969690,969735,969992,969993,970062,970160,970504,970604,970609,970892,970909,970911,970948,970955,970956,970958,970970,971124,971125,971126,971159,971170,971360,971600,971628,972003,972068,972174,972780,972844,972891,972951,973378,973556,973855,974406,974418,975371,975488,975772,975945,980246
CVE References: CVE-2015-7566,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8709,CVE-2015-8785,CVE-2015-8812,CVE-2015-8816,CVE-2016-0723,CVE-2016-2143,CVE-2016-2184,CVE-2016-2185,CVE-2016-2186,CVE-2016-2188,CVE-2016-2384,CVE-2016-2782,CVE-2016-3134,CVE-2016-3136,CVE-2016-3137,CVE-2016-3138,CVE-2016-3139,CVE-2016-3140,CVE-2016-3156,CVE-2016-3689,CVE-2016-3707,CVE-2016-3951
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP1 (src):    kernel-compute-3.12.58-14.1, kernel-compute_debug-3.12.58-14.1, kernel-rt-3.12.58-14.1, kernel-rt_debug-3.12.58-14.1, kernel-source-rt-3.12.58-14.1, kernel-syms-rt-3.12.58-14.1
Comment 8 Swamp Workflow Management 2016-08-02 14:26:36 UTC 
SUSE-SU-2016:1937-1: An update that solves 24 vulnerabilities and has 76 fixes is now available.

Category: security (important)
Bug References: 662458,676471,897662,928547,944309,945345,947337,950998,951844,953048,953233,954847,956491,957805,957986,957990,958390,958463,960857,962742,962846,963762,964727,965087,966245,967640,968667,969016,970114,970506,970604,970609,970948,971049,971770,971947,972124,972933,973378,973499,973570,974165,974308,974620,974646,974692,975533,975772,975788,976739,976821,976868,977417,977582,977685,978401,978469,978527,978822,979169,979213,979347,979419,979485,979489,979521,979548,979867,979879,979922,980246,980348,980371,980706,981038,981143,981344,982282,982354,982544,982698,983143,983213,983318,983394,983721,983904,983977,984148,984456,984755,985232,985978,986362,986569,986572,986811,988215,988498,988552
CVE References: CVE-2014-9717,CVE-2014-9904,CVE-2015-7833,CVE-2015-8539,CVE-2015-8551,CVE-2015-8552,CVE-2015-8845,CVE-2016-0758,CVE-2016-1583,CVE-2016-2053,CVE-2016-2847,CVE-2016-3672,CVE-2016-3707,CVE-2016-4470,CVE-2016-4482,CVE-2016-4486,CVE-2016-4565,CVE-2016-4569,CVE-2016-4578,CVE-2016-4805,CVE-2016-4997,CVE-2016-5244,CVE-2016-5828,CVE-2016-5829
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP1 (src):    kernel-compute-3.12.61-60.18.1, kernel-compute_debug-3.12.61-60.18.1, kernel-rt-3.12.61-60.18.1, kernel-rt_debug-3.12.61-60.18.1, kernel-source-rt-3.12.61-60.18.1, kernel-syms-rt-3.12.61-60.18.1
Comment 9 Swamp Workflow Management 2016-08-08 18:18:53 UTC 
SUSE-SU-2016:1985-1: An update that solves 20 vulnerabilities and has 43 fixes is now available.

Category: security (important)
Bug References: 676471,866130,909589,936530,944309,950998,953369,954847,956491,957986,960857,961518,963762,966245,967914,968500,969149,969391,970114,971030,971126,971360,971446,971944,971947,971989,973378,974620,974646,974787,975358,976739,976868,978401,978821,978822,979213,979274,979347,979419,979548,979595,979867,979879,979915,980246,980371,980725,980788,980931,981231,981267,982532,982544,982691,983143,983213,983721,984107,984755,986362,986572,988498
CVE References: CVE-2015-7833,CVE-2016-0758,CVE-2016-1583,CVE-2016-2053,CVE-2016-2187,CVE-2016-3134,CVE-2016-3707,CVE-2016-4470,CVE-2016-4482,CVE-2016-4485,CVE-2016-4486,CVE-2016-4565,CVE-2016-4569,CVE-2016-4578,CVE-2016-4580,CVE-2016-4805,CVE-2016-4913,CVE-2016-4997,CVE-2016-5244,CVE-2016-5829
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP4 (src):    kernel-rt-3.0.101.rt130-57.1, kernel-rt_trace-3.0.101.rt130-57.1, kernel-source-rt-3.0.101.rt130-57.1, kernel-syms-rt-3.0.101.rt130-57.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-rt-3.0.101.rt130-57.1, kernel-rt_debug-3.0.101.rt130-57.1, kernel-rt_trace-3.0.101.rt130-57.1
Comment 10 Marcus Meissner 2017-03-01 14:19:28 UTC 
released