Bug 913059 (CVE-2014-8160)

Summary: VUL-0: CVE-2014-8160: kernel-source: SCTP firewalling fails until SCTP module is loaded
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: andreas.taschner, brent.griggs, darcy.partridge, jbohac, meissner, mhocko, mkubecek, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/112347/
Whiteboard: maint:released:sle11-sp3:60951 maint:released:sle11-sp3:60952 maint:released:sle11-sp3:60953 maint:released:sle11-sp3:60954 maint:released:sle11-sp3:60956 maint:released:sle11-sp3:60955 maint:released:sle11-sp3:60958 maint:released:sle11-sp3:60959 maint:released:sle11-sp3:60957 maint:released:sle11-sp1:61314 maint:released:sle11-sp1:60689 maint:released:sle11-sp1:60690 maint:released:sle11-sp1:60691 maint:released:sle11-sp3:61403
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 932350    
Bug Blocks:    
Attachments: sles10-sp3-td backport

Description Victor Pereira 2015-01-14 10:02:38 UTC 
CVE-2014-8160

there is an issue in net/netfilter/nf_conntrack_proto_generic.c that can allow protocols that do not have a protocol handler kernel module loaded through the iptables firewall even if explicitly denied by rule.




References:
http://www.spinics.net/lists/netfilter-devel/msg33430.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8160
http://seclists.org/oss-sec/2015/q1/130
Comment 1 Marcus Meissner 2015-01-17 08:35:54 UTC 
likely something for Jiri Bohac... can you check and apply?
Comment 2 Jiri Bohac 2015-02-01 23:17:25 UTC 
Pushed to SLE12, SLE11-SP3, openSUSE-13.2 and openSUSE 13.1.

I can imagine customers with a broken firewall that only works for them because of this bug.

Would it be appropriate to put a warning in the patchinfo description?
Comment 3 Michal Hocko 2015-02-02 08:52:10 UTC 
pushed to SLE11-SP1-TD. The patch is applicable to SLES10 code base after minor tweak. I will attach the backport in the next comment to make sure I haven't screwed anything. Could you double check Jiri?
Comment 4 Michal Hocko 2015-02-02 08:52:33 UTC 
Created attachment 621548 [details]
sles10-sp3-td backport
Comment 5 Marcus Meissner 2015-02-02 16:03:21 UTC 
i am pretty much willing to risk it.

we can document that.
Comment 6 Swamp Workflow Management 2015-02-26 10:03:47 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-03-05.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60808
Comment 7 Swamp Workflow Management 2015-03-18 21:12:26 UTC 
SUSE-SU-2015:0529-1: An update that solves 8 vulnerabilities and has 53 fixes is now available.

Category: security (important)
Bug References: 799216,800255,860346,875220,877456,884407,895805,896484,897736,898687,900270,902286,902346,902349,903640,904177,904883,904899,904901,905100,905304,905329,905482,905783,906196,907069,908069,908322,908825,908904,909829,910322,911326,912202,912654,912705,913059,914112,914126,914254,914291,914294,914300,914457,914464,914726,915188,915322,915335,915425,915454,915456,915550,915660,916107,916513,916646,917089,917128,918161,918255
CVE References: CVE-2014-3673,CVE-2014-3687,CVE-2014-7822,CVE-2014-7841,CVE-2014-8160,CVE-2014-8559,CVE-2014-9419,CVE-2014-9584
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.38-44.5, kernel-obs-build-3.12.38-44.1
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.38-44.1, kernel-syms-3.12.38-44.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_3-1-2.2
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.38-44.1, kernel-syms-3.12.38-44.1
Comment 8 Swamp Workflow Management 2015-03-24 06:20:37 UTC 
SUSE-SU-2015:0581-1: An update that solves 21 vulnerabilities and has 67 fixes is now available.

Category: security (important)
Bug References: 771619,816099,829110,833588,833820,846656,853040,856760,864401,864404,864409,864411,865419,875051,876086,876594,877593,882470,883948,884817,887597,891277,894213,895841,896484,900279,900644,902232,902349,902351,902675,903096,903640,904053,904242,904659,904671,905304,905312,905799,906586,907196,907338,907551,907611,907818,908069,908163,908393,908550,908551,908572,908825,909077,909078,909088,909092,909093,909095,909264,909565,909740,909846,910013,910150,910159,910321,910322,910517,911181,911325,911326,912171,912705,913059,914355,914423,914726,915209,915322,915335,915791,915826,916515,916982,917839,917884,920250
CVE References: CVE-2013-7263,CVE-2014-0181,CVE-2014-3687,CVE-2014-3688,CVE-2014-3690,CVE-2014-4608,CVE-2014-7822,CVE-2014-7842,CVE-2014-7970,CVE-2014-8133,CVE-2014-8134,CVE-2014-8160,CVE-2014-8369,CVE-2014-8559,CVE-2014-9090,CVE-2014-9322,CVE-2014-9419,CVE-2014-9420,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-source-3.0.101-0.47.50.1, kernel-syms-3.0.101-0.47.50.1, kernel-trace-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-ec2-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-ppc64-3.0.101-0.47.50.1, kernel-source-3.0.101-0.47.50.1, kernel-syms-3.0.101-0.47.50.1, kernel-trace-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1, xen-4.2.5_04-0.7.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.7, gfs2-2-0.17.1.7, ocfs2-1.6-0.21.1.7
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-source-3.0.101-0.47.50.1, kernel-syms-3.0.101-0.47.50.1, kernel-trace-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1, xen-4.2.5_04-0.7.1
SLE 11 SERVER Unsupported Extras (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-ppc64-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1
Comment 9 Swamp Workflow Management 2015-03-25 14:42:54 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-04-01.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61308
Comment 10 Swamp Workflow Management 2015-04-02 00:11:58 UTC 
SUSE-SU-2015:0652-1: An update that solves 17 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 771619,833820,846404,857643,875051,885077,891211,892235,896390,896391,896779,899338,902346,902349,902351,904700,905100,905312,907822,908870,911325,912654,912705,912916,913059,915335,915826
CVE References: CVE-2010-5313,CVE-2012-6657,CVE-2013-4299,CVE-2013-7263,CVE-2014-0181,CVE-2014-3184,CVE-2014-3185,CVE-2014-3673,CVE-2014-3687,CVE-2014-3688,CVE-2014-7841,CVE-2014-7842,CVE-2014-8160,CVE-2014-8709,CVE-2014-9420,CVE-2014-9584,CVE-2014-9585
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    kernel-default-2.6.32.59-0.19.1, kernel-ec2-2.6.32.59-0.19.1, kernel-pae-2.6.32.59-0.19.1, kernel-source-2.6.32.59-0.19.1, kernel-syms-2.6.32.59-0.19.1, kernel-trace-2.6.32.59-0.19.1, kernel-xen-2.6.32.59-0.19.1, xen-4.0.3_21548_18-0.9.17
SLE 11 SERVER Unsupported Extras (src):    kernel-default-2.6.32.59-0.19.1, kernel-pae-2.6.32.59-0.19.1, kernel-xen-2.6.32.59-0.19.1
Comment 11 Marcus Meissner 2015-04-08 12:49:20 UTC 
released
Comment 12 Swamp Workflow Management 2015-04-13 12:13:33 UTC 
openSUSE-SU-2015:0713-1: An update that solves 13 vulnerabilities and has 52 fixes is now available.

Category: security (important)
Bug References: 867199,893428,895797,900811,901925,903589,903640,904899,905681,907039,907818,907988,908582,908588,908589,908592,908593,908594,908596,908598,908603,908604,908605,908606,908608,908610,908612,909077,909078,909477,909634,910150,910322,910440,911311,911325,911326,911356,911438,911578,911835,912061,912202,912429,912705,913059,913466,913695,914175,915425,915454,915456,915577,915858,916608,917830,917839,918954,918970,919463,920581,920604,921313,922542,922944
CVE References: CVE-2014-8134,CVE-2014-8160,CVE-2014-8559,CVE-2014-9419,CVE-2014-9420,CVE-2014-9428,CVE-2014-9529,CVE-2014-9584,CVE-2014-9585,CVE-2015-0777,CVE-2015-1421,CVE-2015-1593,CVE-2015-2150
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.6.6, cloop-2.639-14.6.6, crash-7.0.8-6.6, hdjmod-1.28-18.7.6, ipset-6.23-6.6, kernel-docs-3.16.7-13.2, kernel-obs-build-3.16.7-13.7, kernel-obs-qa-3.16.7-13.1, kernel-obs-qa-xen-3.16.7-13.1, kernel-source-3.16.7-13.1, kernel-syms-3.16.7-13.1, pcfclock-0.44-260.6.2, vhba-kmp-20140629-2.6.2, virtualbox-4.3.20-10.2, xen-4.4.1_08-12.2, xtables-addons-2.6-6.2
Comment 13 Swamp Workflow Management 2015-04-13 12:19:28 UTC 
openSUSE-SU-2015:0714-1: An update that solves 11 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 903640,904899,907988,909078,910150,911325,911326,912202,912654,912705,913059,913695,914175,915322,917839,920901
CVE References: CVE-2014-7822,CVE-2014-8134,CVE-2014-8160,CVE-2014-8173,CVE-2014-8559,CVE-2014-9419,CVE-2014-9420,CVE-2014-9529,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.19.1, crash-7.0.2-2.19.1, hdjmod-1.28-16.19.1, ipset-6.21.1-2.23.1, iscsitarget-1.4.20.3-13.19.1, kernel-docs-3.11.10-29.2, kernel-source-3.11.10-29.1, kernel-syms-3.11.10-29.1, ndiswrapper-1.58-19.1, pcfclock-0.44-258.19.1, vhba-kmp-20130607-2.20.1, virtualbox-4.2.28-2.28.1, xen-4.3.3_04-37.1, xtables-addons-2.3-2.19.1
Comment 14 Swamp Workflow Management 2015-04-20 19:21:11 UTC 
SUSE-SU-2015:0736-1: An update that solves 21 vulnerabilities and has 69 fixes is now available.

Category: security (important)
Bug References: 771619,816099,829110,833588,833820,846656,853040,856760,864401,864404,864409,864411,865419,875051,876086,876594,877593,882470,883948,884817,887597,891277,894213,895841,896484,900279,900644,902232,902349,902351,902675,903096,903640,904053,904242,904659,904671,905304,905312,905799,906586,907196,907338,907551,907611,907818,908069,908163,908393,908550,908551,908572,908825,909077,909078,909088,909092,909093,909095,909264,909565,909740,909846,910013,910150,910159,910251,910321,910322,910517,911181,911325,911326,912171,912705,913059,914355,914423,914726,915209,915322,915335,915791,915826,916515,916982,917839,917884,920250,924282
CVE References: CVE-2013-7263,CVE-2014-0181,CVE-2014-3687,CVE-2014-3688,CVE-2014-3690,CVE-2014-4608,CVE-2014-7822,CVE-2014-7842,CVE-2014-7970,CVE-2014-8133,CVE-2014-8134,CVE-2014-8160,CVE-2014-8369,CVE-2014-8559,CVE-2014-9090,CVE-2014-9322,CVE-2014-9419,CVE-2014-9420,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
SUSE Linux Enterprise Real Time Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.14, drbd-kmp-8.4.4-0.23.1.14, iscsitarget-1.4.20-0.39.1.14, kernel-rt-3.0.101.rt130-0.33.36.1, kernel-rt_trace-3.0.101.rt130-0.33.36.1, kernel-source-rt-3.0.101.rt130-0.33.36.1, kernel-syms-rt-3.0.101.rt130-0.33.36.1, lttng-modules-2.1.1-0.12.1.13, ocfs2-1.6-0.21.1.14, ofed-1.5.4.1-0.14.1.14
Comment 15 Andreas Taschner 2015-05-26 13:13:19 UTC 
(In reply to Jiri Bohac from comment #2)
> Pushed to SLE12, SLE11-SP3, openSUSE-13.2 and openSUSE 13.1.
> 
> I can imagine customers with a broken firewall that only works for them
> because of this bug.
> 
> Would it be appropriate to put a warning in the patchinfo description?

A preliminary heads up while waiting for the data to formally tick in :
Ericsson products then have a broken firewall (11 SP3 so far).

Just came out of a status meeting with them. They had to retract a whole maintance channel because the SCTP conntrack module does not support multihoming.

They will probably have to ask for a PTF with this patch reverted as it causes _severe_ problems at their end and is highly escalated there.

(In reply to Marcus Meissner from comment #5)
> i am pretty much willing to risk it.
> 
> we can document that.

Documentation does not seem like an option as long as SCTP conntrack is not production ready/mature.
Comment 16 Michal Hocko 2015-05-27 08:30:42 UTC 
It seems this has caused a regression. Let's reopen this bug and wait for the follow up bug to see whether we revert the CVE fix or what are the alternatives.
Comment 18 Jiri Bohac 2015-08-13 18:23:46 UTC 
Suggested text for the TID:

Generic connection tracking disabled for certain protocols; protocol-specific modules need to be loaded.

The linux connection tracker contains a generic connection tracking module able to handle packets that are not handled by a protocol-specific connection tracking module. Not understanding the higher-level protocol information (such as port numbers) in the packets, it only uses the IP-level information (the source and destination addresses). If the corresponding protocol-specific connection tracker module is not loaded, the generic connection tracker handles the packet.

This may lead to very unexpected results, including a firewall accepting packets that were intended to be dropped. The problem has been classified as a security vulnerability and assigned CVE-2014-8160.
This has been solved by making the generic connection tracker ignore protocols for which we have protocol-specific connection tracking modules. This is the upstream commit, containing more technical details: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=db29a9508a9246e77087c5531e45b2c88ec6988b

The protocols affected are:
	SCTP 	 - handled by nf_conntrack_proto_sctp.ko
	DCCP	 - handled by nf_conntrack_proto_dccp.ko
	UDPLITE	 - handled by nf_conntrack_proto_udplite.ko
	GRE 	 - handled by nf_conntrack_proto_gre.ko
	PPTP GRE - handled by nf_conntrack_pptp.ko

If your netfilter configuration depends on connection tracking of one or more of these protocols you need to load the
corresponding protocol-specific module. The protocol-specific module will be more strict in classifying packets as belonging to the same connection than the generic connection tracker that only used the IP header for the classification.

----
Not sure if we have an official guide for automatically loading kernel modules? That should probably be linked from here...
For SLE12, this probably applies: http://www.freedesktop.org/software/systemd/man/modules-load.d.html
Comment 21 Michal Kubeček 2017-03-20 13:53:30 UTC 
For the record, the SCTP multihoming problem was handled in bsc#932350.