EGI CSIRT:Alerts/Linux-2014-12-17
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** Title: EGI SVG/CSIRT Alert/Advisory 'CRITICAL' risk - Linux kernel vulnerabilities [EGI-ADV-20141217] Date: 2014-12-17 Updated: 2014-12-22 URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Linux-2014-12-17 Update Summary ============== + 2014-12-18: Added information about Scientific Linux patches + 2014-12-20: Added more details about the vulnerability and fixes + 2014-12-22: Corrected information about affected versions Introduction ============ Redhat has announced a series of vulnerabilities in the linux kernel which have been fixed. The most severe flaw is marked CVE-2014-9322 and is believed to provide the possibility to escalate unprivileged users' rights on the system. Fixes have been published for RHEL 5 and 6 and their derivates as well as other Linux distributions. Details ======= arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space. (quoted from NVD). Risk category ============= The issue CVE-2014-9322 been assessed as CRITICAL risk by the EGI CSIRT and EGI SVG Risk Assessment Team. Affected software ================= The Linux kernel is affected. The issue was fixed in the 3.17.5 version of the mainstream distribution. The fixes were also backported to other versions by distribution vendors. In the 2.* Linux kernels of RedHat 5 and derivatives the vulnerability was fixed by version 2.6.18-400.1.1.el5. In the 2.* Linux kernels of RedHat 6 and derivatives the vulnerability was fixed by version 2.6.32-504.3.3.el6. Mitigation ========== N/A Component installation information ================================== For many distributions, patched kernel packages are available. Refer to your distro's information channels. *NOTE* SITES USING IPoIB (IP over InfiniBand): The 6.6 kernels seem to have problems with IPoIB (IP over InfiniBand). If that has not been solved (and there is no indication in the errata of that), just upgrading to the latest 6.6 kernel will not be possible for sites using IPoIB. NSC is currently building a 6.5 kernel with the critical security patch applied. That should enable us to continue running IPoIB. Other sites can contact support@nsc.liu.se if they are interested in our custom kernel. Recommendations =============== Sites should update as soon as possible. All running resources MUST be either patched or otherwise have a work-around in place by 2014-12-24 T21:00+01:00. Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. In effect, all must update before going on leave for Christmas. Credit ====== EGI SVG and CSIRT alerted by Leif Nixon. IPoIB issues announced by Kent Engström. References ========== + Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9322 + Red Hat EL6: https://rhn.redhat.com/errata/RHSA-2014-1997.html + Red Hat EL5: https://rhn.redhat.com/errata/RHSA-2014-2008.html + Scientific Linux 5: https://www.scientificlinux.org/sl-errata/slsa-20142008-1/ + Scientific Linux 6: https://www.scientificlinux.org/sl-errata/slsa-20141997-1/ + CentOS: http://lists.centos.org/pipermail/centos-announce/2014-December/020838.html + Debian: https://security-tracker.debian.org/tracker/CVE-2014-9322 + Ubuntu: http://people.canonical.com/~ubuntu-security/cve/CVE-2014-9322 + NIST NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9322 Timeline ======== Yyyy-mm-dd 2014-12-16 Vulnerabilities publicly announced 2014-12-17 SVG alerted to vulnerabilities by Leif Nixon 2014-12-17 CSIRT and SVG assess risk as 'Critical' 2014-12-17 Heads up/Alert sent to sites.