Difference between revisions of "SVG:Advisory-SVG-CVE-2017-2636"
Jump to navigation
Jump to search
(Created page with "{{svg-header}} <pre> Advisory in preparation </pre>") |
|||
Line 3: | Line 3: | ||
<pre> | <pre> | ||
Advisory in | Title: EGI SVG Advisory [TLP:WHITE] 'HIGH' risk linux kernel privilege escalation vulnerability | ||
CVE-2017-2636 [EGI-SVG-CVE-2017-2636] | |||
Date: 2017-03-09 | |||
Updated: | |||
Affected software and risk | |||
========================== | |||
'HIGH' risk privilege escalation vulnerability affecting the Linux kernel n_hdlc module | |||
Package : Linux kernel | |||
CVE ID : CVE-2017-2636 | |||
A local privilege escalation race condition in n_hdlc in linux kernel driver has been found. [R 1], [R 2] | |||
This vulnerability is present in all recent versions of the linux kernel prior to the patched versions. | |||
The most affected services are those that give shell access to unprivileged users: | |||
- Worker Nodes | |||
- shared User Interface hosts | |||
- ... | |||
Actions required/recommended | |||
============================ | |||
Sites should apply vendor kernel updates as soon as possible, if updates are available. | |||
If updates are not available, sites should consider taking mitigating action. | |||
Affected software details | |||
========================= | |||
All recent versions of the linux kernel prior to the patched versions are affected. | |||
More information | |||
================ | |||
More information can be found at [R 1], [R 2], [R 3] | |||
If this vulnerability is found to be exploitable in the EGI infrastructure it will be | |||
elevated to 'CRITICAL' and require sites to update urgently. | |||
Hence we recommend that sites update as soon as possible. | |||
Note that this is a new vulnerability, this is NOT an update of CVE-2017-6074 although | |||
the effect and risk are similar, and hence SVG is making similar recommendations. | |||
Mitigation | |||
========== | |||
Mitigation is suggested in [R 2] and [R 5] | |||
Component installation information | |||
================================== | |||
Patches are not yet available for Red Hat Linux and its derivatives [R 4], [R 5] | |||
Sites running Debian should see [R 6] | |||
Sites running Ubuntu should see [R 7] | |||
TLP and URL | |||
=========== | |||
** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions** | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2017-2636 | |||
Minor updates may be made without re-distribution to the sites | |||
Comments | |||
======== | |||
Comments or questions should be sent to svg-rat at mailman.egi.eu | |||
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to | |||
report-vulnerability at egi.eu | |||
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 8] | |||
References | |||
========== | |||
[R 1] http://seclists.org/oss-sec/2017/q1/569 | |||
[R 2] http://seclists.org/oss-sec/2017/q1/572 | |||
[R 3] NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2636 | |||
[R 4] https://www.scientificlinux.org/ | |||
[R 5] Red Hat https://access.redhat.com/security/cve/CVE-2017-2636 | |||
[R 6] Debian https://security-tracker.debian.org/tracker/CVE-2017-2636 | |||
[R 7] Ubuntu http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2636.html | |||
[R 8] https://documents.egi.eu/public/ShowDocument?docid=2538 | |||
Credit | |||
====== | |||
SVG was alerted to this vulnerability by Vincent Brillault | |||
Timeline | |||
======== | |||
Yyyy-mm-dd [EGI-SVG-CVE-2017-2636] | |||
2017-03-09 SVG alerted to this issue by Vincent Brillault | |||
2017-03-09 Investigation of vulnerability and relevance to EGI carried out by | |||
2017-03-09 EGI SVG Risk Assessment completed | |||
2017-03-09 Advisory/Alert sent to sites | |||
2017-??-?? Updated packages available for all relevant distributions | |||
2017-??-?? Public disclosure | |||
Context | |||
======= | |||
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose | |||
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities" | |||
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 8] | |||
in the context of how the software is used in the EGI infrastructure. | |||
It is the opinion of the group, we do not guarantee it to be correct. | |||
The risk may also be higher or lower in other deployments depending on how the software is used. | |||
Others may re-use this information provided they:- | |||
1) Respect the provided TLP classification | |||
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group | |||
</pre> | </pre> |
Revision as of 17:40, 9 March 2017
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-CVE-2017-2636
Title: EGI SVG Advisory [TLP:WHITE] 'HIGH' risk linux kernel privilege escalation vulnerability CVE-2017-2636 [EGI-SVG-CVE-2017-2636] Date: 2017-03-09 Updated: Affected software and risk ========================== 'HIGH' risk privilege escalation vulnerability affecting the Linux kernel n_hdlc module Package : Linux kernel CVE ID : CVE-2017-2636 A local privilege escalation race condition in n_hdlc in linux kernel driver has been found. [R 1], [R 2] This vulnerability is present in all recent versions of the linux kernel prior to the patched versions. The most affected services are those that give shell access to unprivileged users: - Worker Nodes - shared User Interface hosts - ... Actions required/recommended ============================ Sites should apply vendor kernel updates as soon as possible, if updates are available. If updates are not available, sites should consider taking mitigating action. Affected software details ========================= All recent versions of the linux kernel prior to the patched versions are affected. More information ================ More information can be found at [R 1], [R 2], [R 3] If this vulnerability is found to be exploitable in the EGI infrastructure it will be elevated to 'CRITICAL' and require sites to update urgently. Hence we recommend that sites update as soon as possible. Note that this is a new vulnerability, this is NOT an update of CVE-2017-6074 although the effect and risk are similar, and hence SVG is making similar recommendations. Mitigation ========== Mitigation is suggested in [R 2] and [R 5] Component installation information ================================== Patches are not yet available for Red Hat Linux and its derivatives [R 4], [R 5] Sites running Debian should see [R 6] Sites running Ubuntu should see [R 7] TLP and URL =========== ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2017-2636 Minor updates may be made without re-distribution to the sites Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 8] References ========== [R 1] http://seclists.org/oss-sec/2017/q1/569 [R 2] http://seclists.org/oss-sec/2017/q1/572 [R 3] NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2636 [R 4] https://www.scientificlinux.org/ [R 5] Red Hat https://access.redhat.com/security/cve/CVE-2017-2636 [R 6] Debian https://security-tracker.debian.org/tracker/CVE-2017-2636 [R 7] Ubuntu http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2636.html [R 8] https://documents.egi.eu/public/ShowDocument?docid=2538 Credit ====== SVG was alerted to this vulnerability by Vincent Brillault Timeline ======== Yyyy-mm-dd [EGI-SVG-CVE-2017-2636] 2017-03-09 SVG alerted to this issue by Vincent Brillault 2017-03-09 Investigation of vulnerability and relevance to EGI carried out by 2017-03-09 EGI SVG Risk Assessment completed 2017-03-09 Advisory/Alert sent to sites 2017-??-?? Updated packages available for all relevant distributions 2017-??-?? Public disclosure Context ======= This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose "To minimize the risk to the EGI infrastructure arising from software vulnerabilities" The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 8] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. Others may re-use this information provided they:- 1) Respect the provided TLP classification 2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group