EGI CSIRT:Alerts/kernel-2010-09-16
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
EGI CSIRT ADVISORY [EGI-ADV-20100916] Title: CRITICAL Kernel Vulnerability: 64-bit Compatibility Mode Stack Pointer Corruption Date: September 16, 2010 URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/kernel-2010-09-16 Background ========== A vulnerability in the 32-bit compatibility layer for 64-bit systems has been reported. It is caused by insecure allocation of user space memory when translating system call inputs to 64-bit. A stack pointer corruption can occur when using the "compat_alloc_user_space" method with an arbitrary length input. This vulnerability has been labeled CVE-2010-3081. A local root exploit for this issue is publically available, and has been verified to work on at least RHEL/CentOS/SLC 5 systems. It is likely that the vulnerability is present also on other distributions, even if this particular exploit doesn't work on them. Recommendations =============== EGI CSIRT has classified this as a critical vulnerability, and all sites should update their 64-bit machines in the EGI infrastructure as soon as vendor kernel updates are published and available. A kernel update for SLC5 x86_64 is expected within a few hours. EGI CSIRT will not issue any recommendation whether to drain queues and disable logins pending a kernel update; we defer to local site policy in this matter. WLCG management is aware of the issue and will accept essential and related unscheduled downtime incurred while handling CVE-2010-3081. References ========== This problem was reported on 2010-09-16 by Ben Hawkes: http://sota.gen.nz/compat1/ http://seclists.org/oss-sec/2010/q3/370 RedHat is recognizing the problem: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3081 A working local root exploit has been published on the Full Disclosure mailing list: http://seclists.org/fulldisclosure/2010/Sep/268