Difference between revisions of "EGI CSIRT:Alerts/Linux-2014-12-17"

** WHITE information - Unlimited distribution allowed                       **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
 
Title:       EGI SVG/CSIRT Alert/Advisory 'CRITICAL' risk - Linux kernel vulnerabilities  [EGI-ADV-20141217] 
 
Date:        2014-12-17
Updated:     2014-12-22
 
URL:         https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Linux-2014-12-17  


Update Summary
==============

+ 2014-12-18: Added information about Scientific Linux patches
+ 2014-12-20: Added more details about the vulnerability and fixes
+ 2014-12-22: Corrected information about affected versions
 
 
Introduction
============

Redhat has announced a series of vulnerabilities in the linux kernel
which have been fixed. The most severe flaw is marked CVE-2014-9322 and
is believed to provide the possibility to escalate unprivileged users'
rights on the system.

Fixes have been published for RHEL 5 and 6 and their derivates as well
as other Linux distributions.

 
Details
=======

arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not
properly handle faults associated with the Stack Segment (SS) segment
register, which allows local users to gain privileges by triggering an
IRET instruction that leads to access to a GS Base address from the
wrong space. (quoted from NVD).

 
Risk category
=============

The issue CVE-2014-9322 been assessed as CRITICAL risk by the EGI CSIRT
and EGI SVG Risk Assessment Team.
 
 
Affected software
=================

The Linux kernel is affected. The issue was fixed in the 3.17.5 version
of the mainstream distribution. The fixes were also backported to other
versions by distribution vendors.

In the 2.* Linux kernels of RedHat 5 and derivatives the vulnerability
was fixed by version 2.6.18-400.1.1.el5.
In the 2.* Linux kernels of RedHat 6 and derivatives the vulnerability
was fixed by version 2.6.32-504.3.3.el6.


Mitigation
==========

N/A
 
 
Component installation information
==================================

For many distributions, patched kernel packages are available.  Refer to
your distro's information channels.
 
*NOTE* SITES USING IPoIB (IP over InfiniBand):
The 6.6 kernels seem to have problems with IPoIB (IP over InfiniBand). If that 
has not been solved (and there is no indication in the errata of that), just 
upgrading to the latest 6.6 kernel will not be possible for sites
using IPoIB.
NSC is currently building a 6.5 kernel with the critical security patch
applied. That should enable us to continue running IPoIB.

Other sites can contact support@nsc.liu.se if they are
interested in our custom kernel.


Recommendations
===============

Sites should update as soon as possible. 

All running resources MUST be either patched or otherwise have a
work-around in place by 2014-12-24  T21:00+01:00. Sites failing to act and/or 
failing to respond to requests from the EGI CSIRT team risk site suspension. 

In effect, all must update before going on leave for Christmas.


Credit
======

EGI SVG and CSIRT alerted by Leif Nixon. 
IPoIB issues announced by Kent Engström.


References
==========

+ Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9322
+ Red Hat EL6: https://rhn.redhat.com/errata/RHSA-2014-1997.html
+ Red Hat EL5: https://rhn.redhat.com/errata/RHSA-2014-2008.html
+ Scientific Linux 5: https://www.scientificlinux.org/sl-errata/slsa-20142008-1/
+ Scientific Linux 6: https://www.scientificlinux.org/sl-errata/slsa-20141997-1/
+ CentOS: http://lists.centos.org/pipermail/centos-announce/2014-December/020838.html
+ Debian: https://security-tracker.debian.org/tracker/CVE-2014-9322
+ Ubuntu: http://people.canonical.com/~ubuntu-security/cve/CVE-2014-9322
+ NIST NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9322


Timeline  
========
Yyyy-mm-dd

2014-12-16 Vulnerabilities publicly announced
2014-12-17 SVG alerted to vulnerabilities by Leif Nixon 
2014-12-17 CSIRT and SVG assess risk as 'Critical' 
2014-12-17 Heads up/Alert sent to sites.