Bug 1085107 – VUL-0: CVE-2018-1068: kernel: netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets

Bug 1085107 - (CVE-2018-1068) VUL-0: CVE-2018-1068: kernel: netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets

(CVE-2018-1068)
Summary:	VUL-0: CVE-2018-1068: kernel: netfilter: ebtables: CONFIG_COMPAT: don't trus...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/201727/
Whiteboard:	CVSSv3:SUSE:CVE-2018-1068:8.4:(AV:L/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-03-13 15:32 UTC by Marcus Meissner
Modified:	2019-08-28 08:57 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 3 Michal Kubeček 2018-03-13 16:10:54 UTC

Commit b71812168571 already has a follow-up

  932909d9b28d  netfilter: ebtables: fix erroneous reject of last rule

which is only in nf and net trees at the moment. We will need both

The patch from

  https://marc.info/?l=linux-netdev&m=152025888924151&w=2

was agreed to be no longer necessary if commit b71812168571 is applied.

>              This flaw can be exploited not only by a system's privileged
> user (a real "root" user), but also by an attacker who is a privileged user
> (a "root" user) in a user+network namespace.

In other words, urgent security bug from cve/linux-3.12 up.

Comment 13 Marcus Meissner 2018-03-16 09:49:49 UTC

hello,

(we believe this flaw is semi-public. there are posts in public mailing
lists and a commit in the upstream Linux tree, but we are not aware of this bug
being considered as a security flaw and not aware of any exploits in the wild.
so we would like to explicitly post to oss-sec@)

a CVE id of CVE-2018-1068 was assigned to this flaw and we would like to ask to
use it in the related public communications.

so:

A flaw was found in the Linux kernel implementation of 32 bit syscall interface
for bridging allowing a privileged user to arbitrarily write to a limited range
of kernel memory. This flaw can be exploited not only by a system's privileged
user (a real "root" user), but also by an attacker who is a privileged user
(a "root" user) in a user+network namespace.

References:

https://marc.info/?l=linux-netdev&m=152023808817590&w=2

https://marc.info/?l=linux-netdev&m=152025888924151&w=2

https://bugzilla.redhat.com/show_bug.cgi?id=1552048

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b71812168571fa55e44cdd0254471331b9c4c4c6

https://github.com/torvalds/linux/commit/b71812168571fa55e44cdd0254471331b9c4c4c6

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Comment 16 Swamp Workflow Management 2018-03-23 02:26:21 UTC

openSUSE-SU-2018:0781-1: An update that solves 11 vulnerabilities and has 110 fixes is now available.

Category: security (important)
Bug References: 1006867,1012382,1015342,1015343,1020645,1022607,1027054,1031717,1033587,1034503,103998_FIXME,1042286,1043441,1043725,1043726,1062840,1065600,1065615,1066223,1067118,1068032,1068569,1069135,1070404,1071306,1071892,1072363,1072689,1072739,1072865,1073401,1073407,1074198,1074426,1075087,1076282,1076693,1076760,1076982,1077241,1077285,1077560,1078583,1078672,1078673,1079029,1079038,1079313,1079384,1079609,1079886,1079989,1080014,1080263,1080321,1080344,1080364,1080384,1080464,1080533,1080656,1080774,1080813,1080851,1081134,1081431,1081436,1081437,1081491,1081498,1081500,1081512,1081514,1081681,1081735,1082089,1082223,1082299,1082373,1082478,1082632,1082795,1082864,1082897,1082979,1082993,1083048,1083086,1083223,1083387,1083409,1083494,1083548,1083750,1083770,1084041,1084397,1084427,1084610,1084772,1084888,1084926,1084928,1084967,1085011,1085015,1085045,1085047,1085050,1085053,1085054,1085056,1085107,1085224,1085239,863764,966170,966172,966328,975772,983145
CVE References: CVE-2017-13166,CVE-2017-15951,CVE-2017-16644,CVE-2017-16912,CVE-2017-16913,CVE-2017-17975,CVE-2017-18174,CVE-2017-18208,CVE-2018-1000026,CVE-2018-1068,CVE-2018-8087
Sources used:
openSUSE Leap 42.3 (src):    kernel-debug-4.4.120-45.1, kernel-default-4.4.120-45.1, kernel-docs-4.4.120-45.2, kernel-obs-build-4.4.120-45.2, kernel-obs-qa-4.4.120-45.1, kernel-source-4.4.120-45.1, kernel-syms-4.4.120-45.1, kernel-vanilla-4.4.120-45.1

Comment 17 Swamp Workflow Management 2018-03-23 17:22:14 UTC

SUSE-SU-2018:0785-1: An update that solves 10 vulnerabilities and has 70 fixes is now available.

Category: security (important)
Bug References: 1005776,1006867,1012382,1012829,1027054,1031717,1034503,1035432,1042286,1043441,1045330,1062840,1065600,1065615,1066223,1067118,1068032,1068569,1069135,1071306,1071892,1072363,1072689,1072739,1072865,1073401,1074198,1074426,1075087,1076282,1077285,1077513,1077560,1077779,1078583,1078609,1078672,1078673,1078787,1079029,1079038,1079384,1079989,1080014,1080263,1080344,1080360,1080364,1080384,1080464,1080774,1080809,1080813,1080851,1081134,1081431,1081491,1081498,1081500,1081512,1081671,1082223,1082299,1082478,1082795,1082864,1082897,1082979,1082993,1083494,1083548,1084610,1085053,1085107,1085224,1085239,863764,966328,975772,983145
CVE References: CVE-2017-13166,CVE-2017-15951,CVE-2017-16644,CVE-2017-16912,CVE-2017-16913,CVE-2017-17975,CVE-2017-18208,CVE-2018-1000026,CVE-2018-1068,CVE-2018-8087
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    kernel-default-4.4.120-92.70.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    kernel-docs-4.4.120-92.70.1, kernel-obs-build-4.4.120-92.70.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    kernel-default-4.4.120-92.70.1, kernel-source-4.4.120-92.70.1, kernel-syms-4.4.120-92.70.1
SUSE Linux Enterprise Server 12-SP2 (src):    kernel-default-4.4.120-92.70.1, kernel-source-4.4.120-92.70.1, kernel-syms-4.4.120-92.70.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_20-1-3.3.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.120-92.70.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    kernel-default-4.4.120-92.70.1, kernel-source-4.4.120-92.70.1, kernel-syms-4.4.120-92.70.1
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.120-92.70.1

Comment 18 Swamp Workflow Management 2018-03-23 17:39:13 UTC

SUSE-SU-2018:0786-1: An update that solves 11 vulnerabilities and has 116 fixes is now available.

Category: security (important)
Bug References: 1006867,1012382,1015342,1015343,1020645,1022607,1024376,1027054,1031717,1033587,1034503,1042286,1043441,1043725,1043726,1062840,1065600,1065615,1066223,1067118,1068032,1068569,1069135,1070404,1071306,1071892,1072363,1072689,1072739,1072865,1073401,1073407,1074198,1074426,1075087,1076282,1076693,1076760,1076982,1077241,1077285,1077513,1077560,1077779,1078583,1078672,1078673,1078787,1079029,1079038,1079195,1079313,1079384,1079609,1079886,1079989,1080014,1080263,1080321,1080344,1080364,1080384,1080464,1080533,1080656,1080774,1080813,1080851,1081134,1081431,1081436,1081437,1081491,1081498,1081500,1081512,1081514,1081681,1081735,1082089,1082223,1082299,1082373,1082478,1082632,1082795,1082864,1082897,1082979,1082993,1083048,1083086,1083223,1083387,1083409,1083494,1083548,1083750,1083770,1084041,1084397,1084427,1084610,1084772,1084888,1084926,1084928,1084967,1085011,1085015,1085045,1085047,1085050,1085053,1085054,1085056,1085107,1085224,1085239,863764,966170,966172,966328,969476,969477,975772,983145
CVE References: CVE-2017-13166,CVE-2017-15951,CVE-2017-16644,CVE-2017-16912,CVE-2017-16913,CVE-2017-17975,CVE-2017-18174,CVE-2017-18208,CVE-2018-1000026,CVE-2018-1068,CVE-2018-8087
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    kernel-default-4.4.120-94.17.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    kernel-docs-4.4.120-94.17.1, kernel-obs-build-4.4.120-94.17.1
SUSE Linux Enterprise Server 12-SP3 (src):    kernel-default-4.4.120-94.17.1, kernel-source-4.4.120-94.17.1, kernel-syms-4.4.120-94.17.1
SUSE Linux Enterprise Live Patching 12-SP3 (src):    kgraft-patch-SLE12-SP3_Update_10-1-4.3.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    kernel-default-4.4.120-94.17.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    kernel-default-4.4.120-94.17.1, kernel-source-4.4.120-94.17.1, kernel-syms-4.4.120-94.17.1
SUSE CaaS Platform ALL (src):    kernel-default-4.4.120-94.17.1

Comment 19 Swamp Workflow Management 2018-03-28 19:11:42 UTC

SUSE-SU-2018:0834-1: An update that solves 19 vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1010470,1012382,1045330,1062568,1063416,1066001,1067118,1068032,1072689,1072865,1074488,1075617,1075621,1077560,1078669,1078672,1078673,1078674,1080255,1080464,1080757,1082299,1083244,1083483,1083494,1083640,1084323,1085107,1085114,1085279,1085447
CVE References: CVE-2016-7915,CVE-2017-12190,CVE-2017-13166,CVE-2017-15299,CVE-2017-16644,CVE-2017-16911,CVE-2017-16912,CVE-2017-16913,CVE-2017-16914,CVE-2017-18017,CVE-2017-18204,CVE-2017-18208,CVE-2017-18221,CVE-2018-1066,CVE-2018-1068,CVE-2018-5332,CVE-2018-5333,CVE-2018-6927,CVE-2018-7566
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.61-52.125.1, kernel-source-3.12.61-52.125.1, kernel-syms-3.12.61-52.125.1, kernel-xen-3.12.61-52.125.1, kgraft-patch-SLE12_Update_33-1-1.3.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.61-52.125.1

Comment 20 Swamp Workflow Management 2018-03-29 16:16:20 UTC

SUSE-SU-2018:0848-1: An update that solves 19 vulnerabilities and has 16 fixes is now available.

Category: security (important)
Bug References: 1010470,1012382,1045330,1055755,1062568,1063416,1066001,1067118,1068032,1072689,1072865,1074488,1075617,1075621,1077182,1077560,1077779,1078669,1078672,1078673,1078674,1080255,1080287,1080464,1080757,1081512,1082299,1083244,1083483,1083494,1083640,1084323,1085107,1085114,1085447
CVE References: CVE-2016-7915,CVE-2017-12190,CVE-2017-13166,CVE-2017-15299,CVE-2017-16644,CVE-2017-16911,CVE-2017-16912,CVE-2017-16913,CVE-2017-16914,CVE-2017-18017,CVE-2017-18204,CVE-2017-18208,CVE-2017-18221,CVE-2018-1066,CVE-2018-1068,CVE-2018-5332,CVE-2018-5333,CVE-2018-6927,CVE-2018-7566
Sources used:
SUSE OpenStack Cloud 6 (src):    kernel-default-3.12.74-60.64.85.1, kernel-source-3.12.74-60.64.85.1, kernel-syms-3.12.74-60.64.85.1, kernel-xen-3.12.74-60.64.85.1, kgraft-patch-SLE12-SP1_Update_26-1-2.3.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    kernel-default-3.12.74-60.64.85.1, kernel-source-3.12.74-60.64.85.1, kernel-syms-3.12.74-60.64.85.1, kernel-xen-3.12.74-60.64.85.1, kgraft-patch-SLE12-SP1_Update_26-1-2.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    kernel-default-3.12.74-60.64.85.1, kernel-source-3.12.74-60.64.85.1, kernel-syms-3.12.74-60.64.85.1, kernel-xen-3.12.74-60.64.85.1, kgraft-patch-SLE12-SP1_Update_26-1-2.3.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.74-60.64.85.1

Comment 21 Swamp Workflow Management 2018-04-19 13:40:45 UTC

SUSE-SU-2018:0986-1: An update that solves 19 vulnerabilities and has 166 fixes is now available.

Category: security (important)
Bug References: 1006867,1012382,1015342,1015343,1019784,1020645,1022595,1022607,1022912,1024296,1024376,1027054,1031492,1031717,1033587,1034503,1037838,1038078,1038085,1040182,1042286,1043441,1043652,1043725,1043726,1048325,1048585,1053472,1060279,1062129,1065600,1065615,1066163,1066223,1067118,1068032,1068038,1068569,1068984,1069135,1069138,1069160,1070052,1070404,1070799,1071306,1071892,1072163,1072363,1072484,1072689,1072739,1072865,1073229,1073401,1073407,1073928,1074134,1074198,1074426,1074488,1074621,1074839,1074847,1075066,1075078,1075087,1075091,1075397,1075428,1075617,1075621,1075627,1075811,1075994,1076017,1076110,1076187,1076232,1076282,1076693,1076760,1076805,1076847,1076872,1076899,1076982,1077068,1077241,1077285,1077513,1077560,1077592,1077704,1077779,1077871,1078002,1078583,1078672,1078673,1078681,1078787,1079029,1079038,1079195,1079313,1079384,1079609,1079886,1079989,1080014,1080263,1080321,1080344,1080364,1080384,1080464,1080533,1080656,1080774,1080813,1080851,1081134,1081431,1081436,1081437,1081491,1081498,1081500,1081512,1081514,1081681,1081735,1082089,1082223,1082299,1082373,1082478,1082632,1082795,1082864,1082897,1082979,1082993,1083048,1083056,1083086,1083223,1083387,1083409,1083494,1083548,1083750,1083770,1084041,1084397,1084427,1084610,1084772,1084888,1084926,1084928,1084967,1085011,1085015,1085045,1085047,1085050,1085053,1085054,1085056,1085107,1085224,1085239,863764,963844,966170,966172,966328,969476,969477,973818,975772,983145,985025
CVE References: CVE-2017-13166,CVE-2017-15129,CVE-2017-15951,CVE-2017-16644,CVE-2017-16912,CVE-2017-16913,CVE-2017-17712,CVE-2017-17862,CVE-2017-17864,CVE-2017-17975,CVE-2017-18017,CVE-2017-18174,CVE-2017-18208,CVE-2017-5715,CVE-2018-1000004,CVE-2018-1000026,CVE-2018-5332,CVE-2018-5333,CVE-2018-8087
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP3 (src):    kernel-rt-4.4.120-3.8.1, kernel-rt_debug-4.4.120-3.8.1, kernel-source-rt-4.4.120-3.8.1, kernel-syms-rt-4.4.120-3.8.1

Comment 22 Michal Kubeček 2018-05-17 07:12:25 UTC

Finally got back to this and pushed into cve/linux-3.0 (where it's not really
a security issue). So now the fix is present in or submitted to (*) all relevant
branches:

  stable                  4.16
  SLE15                   caa60e72bede
  SLE12-SP3               8797aa50c6d0
  SLE12-SP2-LTSS          0db54544cc76
  cve/linux-3.12          44f5b40f2efe
  cve/linux-3.0           7ae870c35754 *

Reassigning back to security team.

Comment 30 Swamp Workflow Management 2018-08-15 16:21:10 UTC

SUSE-SU-2018:2332-1: An update that solves 13 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1082962,1083900,1085107,1087081,1089343,1092904,1094353,1096480,1096728,1097234,1098016,1099924,1099942,1100418,1104475,1104684,909361
CVE References: CVE-2016-8405,CVE-2017-13305,CVE-2018-1000204,CVE-2018-1068,CVE-2018-1130,CVE-2018-12233,CVE-2018-13053,CVE-2018-13406,CVE-2018-3620,CVE-2018-3646,CVE-2018-5803,CVE-2018-5814,CVE-2018-7492
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    kernel-docs-3.0.101-108.68.1
SUSE Linux Enterprise Server 11-SP4 (src):    kernel-bigmem-3.0.101-108.68.1, kernel-default-3.0.101-108.68.1, kernel-ec2-3.0.101-108.68.1, kernel-pae-3.0.101-108.68.1, kernel-ppc64-3.0.101-108.68.1, kernel-source-3.0.101-108.68.1, kernel-syms-3.0.101-108.68.1, kernel-trace-3.0.101-108.68.1, kernel-xen-3.0.101-108.68.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-108.68.1, kernel-pae-3.0.101-108.68.1, kernel-ppc64-3.0.101-108.68.1, kernel-trace-3.0.101-108.68.1, kernel-xen-3.0.101-108.68.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-bigmem-3.0.101-108.68.1, kernel-default-3.0.101-108.68.1, kernel-ec2-3.0.101-108.68.1, kernel-pae-3.0.101-108.68.1, kernel-ppc64-3.0.101-108.68.1, kernel-trace-3.0.101-108.68.1, kernel-xen-3.0.101-108.68.1

Comment 31 Swamp Workflow Management 2018-08-16 10:38:25 UTC

SUSE-SU-2018:2366-1: An update that solves 13 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1082962,1083900,1085107,1087081,1089343,1092904,1094353,1096480,1096728,1097234,1098016,1099924,1099942,1100418,1104475,1104684,909361
CVE References: CVE-2016-8405,CVE-2017-13305,CVE-2018-1000204,CVE-2018-1068,CVE-2018-1130,CVE-2018-12233,CVE-2018-13053,CVE-2018-13406,CVE-2018-3620,CVE-2018-3646,CVE-2018-5803,CVE-2018-5814,CVE-2018-7492
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kernel-bigsmp-3.0.101-0.47.106.43.1, kernel-default-3.0.101-0.47.106.43.1, kernel-ec2-3.0.101-0.47.106.43.1, kernel-pae-3.0.101-0.47.106.43.1, kernel-source-3.0.101-0.47.106.43.1, kernel-syms-3.0.101-0.47.106.43.1, kernel-trace-3.0.101-0.47.106.43.1, kernel-xen-3.0.101-0.47.106.43.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-bigsmp-3.0.101-0.47.106.43.1, kernel-default-3.0.101-0.47.106.43.1, kernel-pae-3.0.101-0.47.106.43.1, kernel-ppc64-3.0.101-0.47.106.43.1, kernel-trace-3.0.101-0.47.106.43.1, kernel-xen-3.0.101-0.47.106.43.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kernel-default-3.0.101-0.47.106.43.1, kernel-ec2-3.0.101-0.47.106.43.1, kernel-pae-3.0.101-0.47.106.43.1, kernel-source-3.0.101-0.47.106.43.1, kernel-syms-3.0.101-0.47.106.43.1, kernel-trace-3.0.101-0.47.106.43.1, kernel-xen-3.0.101-0.47.106.43.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-bigsmp-3.0.101-0.47.106.43.1, kernel-default-3.0.101-0.47.106.43.1, kernel-ec2-3.0.101-0.47.106.43.1, kernel-pae-3.0.101-0.47.106.43.1, kernel-trace-3.0.101-0.47.106.43.1, kernel-xen-3.0.101-0.47.106.43.1

Comment 32 Marcus Meissner 2018-08-21 08:31:20 UTC

all released

Comment 34 Swamp Workflow Management 2018-09-06 16:09:17 UTC

SUSE-SU-2018:2637-1: An update that solves 13 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 1015828,1037441,1047487,1082962,1083900,1085107,1087081,1089343,1092904,1093183,1094353,1096480,1096728,1097125,1097234,1097562,1098016,1098658,1099709,1099924,1099942,1100091,1100132,1100418,1102087,1103884,1103909,1104365,1104475,1104684,909361
CVE References: CVE-2016-8405,CVE-2017-13305,CVE-2018-1000204,CVE-2018-1068,CVE-2018-1130,CVE-2018-12233,CVE-2018-13053,CVE-2018-13406,CVE-2018-3620,CVE-2018-3646,CVE-2018-5803,CVE-2018-5814,CVE-2018-7492
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP4 (src):    kernel-rt-3.0.101.rt130-69.33.1, kernel-rt_trace-3.0.101.rt130-69.33.1, kernel-source-rt-3.0.101.rt130-69.33.1, kernel-syms-rt-3.0.101.rt130-69.33.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-rt-3.0.101.rt130-69.33.1, kernel-rt_debug-3.0.101.rt130-69.33.1, kernel-rt_trace-3.0.101.rt130-69.33.1