Difference between revisions of "EGI CSIRT:Alerts/Linux-2014-12-17"
Jump to navigation
Jump to search
Line 1: | Line 1: | ||
** WHITE information - Unlimited distribution allowed ** | ** WHITE information - Unlimited distribution allowed ** | ||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
Title: EGI SVG/CSIRT Alert/Advisory 'CRITICAL' risk - Linux kernel vulnerabilities [EGI-ADV-20141217] | |||
Title: | |||
Date: 2014-12-17 | Date: 2014-12-17 | ||
Updated: 2014-12- | Updated: 2014-12-20 | ||
URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Linux-2014-12-17 | |||
Update Summary | |||
============== | |||
+ 2014-12-18: Added information about Scientific Linux patches | |||
+ 2014-12-20: Added more details about the vulnerability and fixes | |||
Line 27: | Line 20: | ||
============ | ============ | ||
Redhat has announced a series of vulnerabilities in the linux kernel | Redhat has announced a series of vulnerabilities in the linux kernel | ||
have been fixed. | which have been fixed. The most severe flaw is marked CVE-2014-9322 and | ||
is believed to provide the possibility to escalate unprivileged users' | |||
rights on the system. | |||
Fixes have been published for RHEL 5 and 6 and their derivates as well | |||
as other Linux distributions. | |||
Line 44: | Line 32: | ||
======= | ======= | ||
arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not | |||
properly handle faults associated with the Stack Segment (SS) segment | |||
register, which allows local users to gain privileges by triggering an | |||
IRET instruction that leads to access to a GS Base address from the | |||
wrong space. (quoted from NVD). | |||
Risk category | Risk category | ||
============= | ============= | ||
The issue CVE-2014-9322 been assessed as CRITICAL risk by the EGI CSIRT | |||
and EGI SVG | and EGI SVG Risk Assessment Team. | ||
Line 60: | Line 48: | ||
================= | ================= | ||
Linux | All Linux kernels in the 3.X series before 3.17.5 unless patched against | ||
this issue. | |||
Line 69: | Line 56: | ||
N/A | N/A | ||
Component installation information | Component installation information | ||
================================== | ================================== | ||
For many distributions, patched kernel packages are available. Refer to | |||
your distro's information channels. | |||
*NOTE* SITES USING IPoIB (IP over InfiniBand): | *NOTE* SITES USING IPoIB (IP over InfiniBand): | ||
The 6.6 kernels seem to have problems with IPoIB (IP over InfiniBand). If that | The 6.6 kernels seem to have problems with IPoIB (IP over InfiniBand). If that | ||
has not been solved (and there is no indication in the errata of that), just | has not been solved (and there is no indication in the errata of that), just | ||
upgrading to the latest 6.6 kernel will not be possible for sites | upgrading to the latest 6.6 kernel will not be possible for sites | ||
using IPoIB. | using IPoIB. | ||
Line 86: | Line 73: | ||
Other sites can contact support@nsc.liu.se if they are | Other sites can contact support@nsc.liu.se if they are | ||
interested in our custom kernel. | interested in our custom kernel. | ||
Line 94: | Line 78: | ||
=============== | =============== | ||
Sites should update as soon as possible | Sites should update as soon as possible. | ||
All running resources MUST be either patched or otherwise have a | All running resources MUST be either patched or otherwise have a | ||
work-around in place by 2014-12-24 T21:00+01:00. Sites failing to act and/or | work-around in place by 2014-12-24 T21:00+01:00. Sites failing to act and/or | ||
failing to respond to requests from the EGI CSIRT team risk site suspension. | failing to respond to requests from the EGI CSIRT team risk site suspension. | ||
In effect, all must update before going on leave for Christmas. | In effect, all must update before going on leave for Christmas. | ||
Credit | Credit | ||
====== | ====== | ||
EGI SVG and CSIRT alerted by Leif Nixon. | EGI SVG and CSIRT alerted by Leif Nixon. | ||
IPoIB issues Kent Engström | IPoIB issues announced by Kent Engström. | ||
Line 113: | Line 97: | ||
========== | ========== | ||
+ Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9322 | |||
+ Red Hat EL6: https://rhn.redhat.com/errata/RHSA-2014-1997.html | |||
+ Red Hat EL5: https://rhn.redhat.com/errata/RHSA-2014-2008.html | |||
+ Scientific Linux 5: https://www.scientificlinux.org/sl-errata/slsa-20142008-1/ | |||
+ Scientific Linux 6: https://www.scientificlinux.org/sl-errata/slsa-20141997-1/ | |||
+ CentOS: http://lists.centos.org/pipermail/centos-announce/2014-December/020838.html | |||
+ Debian: https://security-tracker.debian.org/tracker/CVE-2014-9322 | |||
+ Ubuntu: http://people.canonical.com/~ubuntu-security/cve/CVE-2014-9322 | |||
+ NIST NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9322 | |||
http:// | |||
Timeline | Timeline | ||
======== | ======== | ||
Yyyy-mm-dd | Yyyy-mm-dd | ||
2014-12-16 Vulnerabilities publicly announced | 2014-12-16 Vulnerabilities publicly announced | ||
2014-12-17 SVG alerted to vulnerabilities by Leif Nixon | 2014-12-17 SVG alerted to vulnerabilities by Leif Nixon | ||
2014-12-17 CSIRT and SVG assess risk as 'Critical' | 2014-12-17 CSIRT and SVG assess risk as 'Critical' | ||
2014-12-17 Heads up/Alert sent to sites. | 2014-12-17 Heads up/Alert sent to sites. |
Revision as of 15:48, 20 December 2014
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** Title: EGI SVG/CSIRT Alert/Advisory 'CRITICAL' risk - Linux kernel vulnerabilities [EGI-ADV-20141217] Date: 2014-12-17 Updated: 2014-12-20 URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Linux-2014-12-17 Update Summary ============== + 2014-12-18: Added information about Scientific Linux patches + 2014-12-20: Added more details about the vulnerability and fixes Introduction ============ Redhat has announced a series of vulnerabilities in the linux kernel which have been fixed. The most severe flaw is marked CVE-2014-9322 and is believed to provide the possibility to escalate unprivileged users' rights on the system. Fixes have been published for RHEL 5 and 6 and their derivates as well as other Linux distributions. Details ======= arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space. (quoted from NVD). Risk category ============= The issue CVE-2014-9322 been assessed as CRITICAL risk by the EGI CSIRT and EGI SVG Risk Assessment Team. Affected software ================= All Linux kernels in the 3.X series before 3.17.5 unless patched against this issue. Mitigation ========== N/A Component installation information ================================== For many distributions, patched kernel packages are available. Refer to your distro's information channels. *NOTE* SITES USING IPoIB (IP over InfiniBand): The 6.6 kernels seem to have problems with IPoIB (IP over InfiniBand). If that has not been solved (and there is no indication in the errata of that), just upgrading to the latest 6.6 kernel will not be possible for sites using IPoIB. NSC is currently building a 6.5 kernel with the critical security patch applied. That should enable us to continue running IPoIB. Other sites can contact support@nsc.liu.se if they are interested in our custom kernel. Recommendations =============== Sites should update as soon as possible. All running resources MUST be either patched or otherwise have a work-around in place by 2014-12-24 T21:00+01:00. Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. In effect, all must update before going on leave for Christmas. Credit ====== EGI SVG and CSIRT alerted by Leif Nixon. IPoIB issues announced by Kent Engström. References ========== + Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9322 + Red Hat EL6: https://rhn.redhat.com/errata/RHSA-2014-1997.html + Red Hat EL5: https://rhn.redhat.com/errata/RHSA-2014-2008.html + Scientific Linux 5: https://www.scientificlinux.org/sl-errata/slsa-20142008-1/ + Scientific Linux 6: https://www.scientificlinux.org/sl-errata/slsa-20141997-1/ + CentOS: http://lists.centos.org/pipermail/centos-announce/2014-December/020838.html + Debian: https://security-tracker.debian.org/tracker/CVE-2014-9322 + Ubuntu: http://people.canonical.com/~ubuntu-security/cve/CVE-2014-9322 + NIST NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9322 Timeline ======== Yyyy-mm-dd 2014-12-16 Vulnerabilities publicly announced 2014-12-17 SVG alerted to vulnerabilities by Leif Nixon 2014-12-17 CSIRT and SVG assess risk as 'Critical' 2014-12-17 Heads up/Alert sent to sites.