Bug 917274 - (CVE-2015-1573) VUL-0: CVE-2015-1573: kernel: panic while flushing nftables rules that reference deleted chains.
VUL-0: CVE-2015-1573: kernel: panic while flushing nftables rules that refere...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2015-02-11 08:21 UTC by Johannes Segitz
Modified: 2016-09-08 12:23 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2015-02-11 08:21:25 UTC

A flaw was found in the nft_flush_table function in the Linux kernel netfilter tables implementation.  The kernel would panic if it was commanded to flush rules referencing chains that had already been deleted. 

A local attacker with the CAP_NET_ADMIN capability could use this to panic (denial of service) a system if they were able to flush an effected chain.

Docker images with "root" permissions are not granted this capability by default.  Systems with privileged containers (started with docker run -privileged .. ) will be able to expose the system to this condition allowing the defect to be exploited.

Fix: http://git.kernel.org/cgit/linux/kernel/git/pablo/nf.git/commit/?id=a2f18db0c68fec96631c10cad9384c196e9008ac

Comment 1 Swamp Workflow Management 2015-02-11 23:00:15 UTC
bugbot adjusting priority
Comment 2 Borislav Petkov 2015-04-08 09:51:53 UTC
Michal, can you please take a look.
Comment 3 Michal Kubeček 2015-04-08 10:16:51 UTC
As nftables were added in mainline 3.13 and were not backported to SLE12,
this should only affect openSUSE 13.2 (the fix is in 3.19-rc5 and Factory
already has 3.19.3). I'll check if 13.2 is really affected and prepare
a backport if it is.
Comment 4 Michal Kubeček 2015-05-14 12:56:16 UTC
After some unsuccessful attempts to reproduce the issue, I checked the code.
Apparently the buggy code (and, actually, the ability to flush the entire
table (not only rules in it) wasn't added until v3.18-rc1. Therefore none
of our kernels is curently vulnerable (master/stable are already fixed and
released SLE/openSUSE kernels never were).

Reassigning back to the Security team.
Comment 5 Marcus Meissner 2016-01-22 08:14:38 UTC
is only upstream