Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "EGI CSIRT:Alerts/Linux-2014-12-17"

From EGIWiki
Jump to navigation Jump to search
 
Line 1: Line 1:
  ** WHITE information - Unlimited distribution allowed                      **
  ** WHITE information - Unlimited distribution allowed                      **
  ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **  
  ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
 
  Title:      EGI SVG/CSIRT Alert/Advisory 'CRITICAL' risk - Linux kernel vulnerabilities  [EGI-ADV-20141217]
  Title:      EGI SVG/CSIRT Alert/Advisory 'CRITICAL' risk - Linux kernel vulnerabilities  [EGI-ADV-20141217]  
 
  Date:        2014-12-17
  Date:        2014-12-17
  Updated:    2014-12-20
  Updated:    2014-12-22
 
  URL:        https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Linux-2014-12-17
  URL:        https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Linux-2014-12-17
   
   
   
   
Line 15: Line 15:
  + 2014-12-18: Added information about Scientific Linux patches
  + 2014-12-18: Added information about Scientific Linux patches
  + 2014-12-20: Added more details about the vulnerability and fixes
  + 2014-12-20: Added more details about the vulnerability and fixes
   
  + 2014-12-22: Corrected information about affected versions
 
 
  Introduction
  Introduction
  ============
  ============
Line 28: Line 29:
  as other Linux distributions.
  as other Linux distributions.
   
   
 
  Details
  Details
  =======
  =======
Line 38: Line 39:
  wrong space. (quoted from NVD).
  wrong space. (quoted from NVD).
   
   
 
  Risk category
  Risk category
  =============
  =============
Line 43: Line 45:
  The issue CVE-2014-9322 been assessed as CRITICAL risk by the EGI CSIRT
  The issue CVE-2014-9322 been assessed as CRITICAL risk by the EGI CSIRT
  and EGI SVG Risk Assessment Team.
  and EGI SVG Risk Assessment Team.
 
 
  Affected software
  Affected software
  =================
  =================
   
   
  All Linux kernels in the 3.X series before 3.17.5 unless patched against
  The Linux kernel is affected. The issue was fixed in the 3.17.5 version
  this issue.
of the mainstream distribution. The fixes were also backported to other
versions by distribution vendors.
In the 2.* Linux kernels of RedHat 5 and derivatives the vulnerability
  was fixed by version 2.6.18-400.1.1.el5.
In the 2.* Linux kernels of RedHat 6 and derivatives the vulnerability
was fixed by version 2.6.32-504.3.3.el6.
   
   
   
   
Line 56: Line 64:
   
   
  N/A
  N/A
 
 
  Component installation information
  Component installation information
  ==================================
  ==================================
Line 62: Line 71:
  For many distributions, patched kernel packages are available.  Refer to
  For many distributions, patched kernel packages are available.  Refer to
  your distro's information channels.
  your distro's information channels.
 
  *NOTE* SITES USING IPoIB (IP over InfiniBand):
  *NOTE* SITES USING IPoIB (IP over InfiniBand):
  The 6.6 kernels seem to have problems with IPoIB (IP over InfiniBand). If that
  The 6.6 kernels seem to have problems with IPoIB (IP over InfiniBand). If that  
  has not been solved (and there is no indication in the errata of that), just
  has not been solved (and there is no indication in the errata of that), just  
  upgrading to the latest 6.6 kernel will not be possible for sites
  upgrading to the latest 6.6 kernel will not be possible for sites
  using IPoIB.
  using IPoIB.
Line 78: Line 87:
  ===============
  ===============
   
   
  Sites should update as soon as possible.
  Sites should update as soon as possible.  
   
   
  All running resources MUST be either patched or otherwise have a
  All running resources MUST be either patched or otherwise have a
  work-around in place by 2014-12-24  T21:00+01:00. Sites failing to act and/or
  work-around in place by 2014-12-24  T21:00+01:00. Sites failing to act and/or  
  failing to respond to requests from the EGI CSIRT team risk site suspension.
  failing to respond to requests from the EGI CSIRT team risk site suspension.  
   
   
  In effect, all must update before going on leave for Christmas.
  In effect, all must update before going on leave for Christmas.
Line 90: Line 99:
  ======
  ======
   
   
  EGI SVG and CSIRT alerted by Leif Nixon.
  EGI SVG and CSIRT alerted by Leif Nixon.  
  IPoIB issues announced by Kent Engström.
  IPoIB issues announced by Kent Engström.
   
   
Line 108: Line 117:
   
   
   
   
  Timeline
  Timeline
  ========
  ========
  Yyyy-mm-dd
  Yyyy-mm-dd
   
   
  2014-12-16 Vulnerabilities publicly announced
  2014-12-16 Vulnerabilities publicly announced
  2014-12-17 SVG alerted to vulnerabilities by Leif Nixon
  2014-12-17 SVG alerted to vulnerabilities by Leif Nixon  
  2014-12-17 CSIRT and SVG assess risk as 'Critical'
  2014-12-17 CSIRT and SVG assess risk as 'Critical'  
  2014-12-17 Heads up/Alert sent to sites.
  2014-12-17 Heads up/Alert sent to sites.

Latest revision as of 15:07, 22 December 2014

** WHITE information - Unlimited distribution allowed                       **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
 
Title:       EGI SVG/CSIRT Alert/Advisory 'CRITICAL' risk - Linux kernel vulnerabilities  [EGI-ADV-20141217] 
 
Date:        2014-12-17
Updated:     2014-12-22
 
URL:         https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Linux-2014-12-17  


Update Summary
==============

+ 2014-12-18: Added information about Scientific Linux patches
+ 2014-12-20: Added more details about the vulnerability and fixes
+ 2014-12-22: Corrected information about affected versions
 
 
Introduction
============

Redhat has announced a series of vulnerabilities in the linux kernel
which have been fixed. The most severe flaw is marked CVE-2014-9322 and
is believed to provide the possibility to escalate unprivileged users'
rights on the system.

Fixes have been published for RHEL 5 and 6 and their derivates as well
as other Linux distributions.

 
Details
=======

arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not
properly handle faults associated with the Stack Segment (SS) segment
register, which allows local users to gain privileges by triggering an
IRET instruction that leads to access to a GS Base address from the
wrong space. (quoted from NVD).

 
Risk category
=============

The issue CVE-2014-9322 been assessed as CRITICAL risk by the EGI CSIRT
and EGI SVG Risk Assessment Team.
 
 
Affected software
=================

The Linux kernel is affected. The issue was fixed in the 3.17.5 version
of the mainstream distribution. The fixes were also backported to other
versions by distribution vendors.

In the 2.* Linux kernels of RedHat 5 and derivatives the vulnerability
was fixed by version 2.6.18-400.1.1.el5.
In the 2.* Linux kernels of RedHat 6 and derivatives the vulnerability
was fixed by version 2.6.32-504.3.3.el6.


Mitigation
==========

N/A
 
 
Component installation information
==================================

For many distributions, patched kernel packages are available.  Refer to
your distro's information channels.
 
*NOTE* SITES USING IPoIB (IP over InfiniBand):
The 6.6 kernels seem to have problems with IPoIB (IP over InfiniBand). If that 
has not been solved (and there is no indication in the errata of that), just 
upgrading to the latest 6.6 kernel will not be possible for sites
using IPoIB.
NSC is currently building a 6.5 kernel with the critical security patch
applied. That should enable us to continue running IPoIB.

Other sites can contact support@nsc.liu.se if they are
interested in our custom kernel.


Recommendations
===============

Sites should update as soon as possible. 

All running resources MUST be either patched or otherwise have a
work-around in place by 2014-12-24  T21:00+01:00. Sites failing to act and/or 
failing to respond to requests from the EGI CSIRT team risk site suspension. 

In effect, all must update before going on leave for Christmas.


Credit
======

EGI SVG and CSIRT alerted by Leif Nixon. 
IPoIB issues announced by Kent Engström.


References
==========

+ Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9322
+ Red Hat EL6: https://rhn.redhat.com/errata/RHSA-2014-1997.html
+ Red Hat EL5: https://rhn.redhat.com/errata/RHSA-2014-2008.html
+ Scientific Linux 5: https://www.scientificlinux.org/sl-errata/slsa-20142008-1/
+ Scientific Linux 6: https://www.scientificlinux.org/sl-errata/slsa-20141997-1/
+ CentOS: http://lists.centos.org/pipermail/centos-announce/2014-December/020838.html
+ Debian: https://security-tracker.debian.org/tracker/CVE-2014-9322
+ Ubuntu: http://people.canonical.com/~ubuntu-security/cve/CVE-2014-9322
+ NIST NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9322


Timeline  
========
Yyyy-mm-dd

2014-12-16 Vulnerabilities publicly announced
2014-12-17 SVG alerted to vulnerabilities by Leif Nixon 
2014-12-17 CSIRT and SVG assess risk as 'Critical' 
2014-12-17 Heads up/Alert sent to sites.
Retrieved from "https://wiki.egi.eu/w/index.php?title=EGI_CSIRT:Alerts/Linux-2014-12-17&oldid=72909"