EGI CSIRT:Alerts/kernel-2010-09-16

EGI CSIRT ADVISORY [EGI-ADV-20100916]

Title: CRITICAL Kernel Vulnerability: 64-bit Compatibility Mode Stack Pointer Corruption
Date: September 16, 2010
URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/kernel-2010-09-16

Background
==========

A vulnerability in the 32-bit compatibility layer for 64-bit systems has
been reported. It is caused by insecure allocation of user space memory
when translating system call inputs to 64-bit. A stack pointer corruption
can occur when using the "compat_alloc_user_space" method with an
arbitrary length input. This vulnerability has been labeled
CVE-2010-3081.

A local root exploit for this issue is publically available, and has
been verified to work on at least RHEL/CentOS/SLC 5 systems. It is
likely that the vulnerability is present also on other distributions,
even if this particular exploit doesn't work on them.


Recommendations
===============

EGI CSIRT has classified this as a critical vulnerability, and all sites
should update their 64-bit machines in the EGI infrastructure as soon as
vendor kernel updates are published and available.

A kernel update for SLC5 x86_64 is expected within a few hours.

EGI CSIRT will not issue any recommendation whether to drain queues and
disable logins pending a kernel update; we defer to local site policy in
this matter.

WLCG management is aware of the issue and will accept essential and related
unscheduled downtime incurred while handling CVE-2010-3081.


References
==========

This problem was reported on 2010-09-16 by Ben Hawkes:

http://sota.gen.nz/compat1/
http://seclists.org/oss-sec/2010/q3/370

RedHat is recognizing the problem:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3081

A working local root exploit has been published on the Full Disclosure
mailing list:

http://seclists.org/fulldisclosure/2010/Sep/268