Difference between revisions of "EGI CSIRT:Alerts/kernel-2013-03-18"
Jump to navigation
Jump to search
(Created page with "<pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT ADV...") |
(No difference)
|
Revision as of 16:36, 18 March 2013
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT ADVISORY [EGI-ADV-20130318] Title: Linux kernel ptrace vulnerability (CVE-2013-0871) [EGI-ADV-20130318] Date: 2013-03-18 Updated: 2013-03-18 URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/kernel-2013-03-18 Introduction ============ Recently, a vulnerability in the Linux kernel's ptrace() syscall has been discovered. This issue allows for local privilege escalation, but is actually hard to exploit. At the end of last week, Immunity Inc. have claimed that they have exploit code that works on 64-bit virtual machines, and that they are working on both 32-bit and non-VM versions. The vulnerability has been assigned CVE-2013-0871. Details ======= A race condition in the ptrace() syscall request handling code allows an attacker to escalate her privileges when a process being debugged is sent a SIGKILL signal. The race condition appears to be very hard to win reliably, but under certain circumstances this is facilitated. Risk Category ============= This issue has been assessed as HIGH risk by the EGI CSIRT. If the working exploit code becomes publicly available, the risk assessment is expected to be raised to CRITICAL. Affected Software ================= + All Linux kernels in the 3.X series up to and including version 3.7.4, unless patched against this issue. + At least the most recent kernels in the 2.6.X Linux kernel series, unless patched against this issue. Exactly how far back this issue goes is not clear at this moment. Mitigation ========== It is possible to disable the ptrace() syscall in a customized kernel. However, this is not trivial, and prevents debugging in general. For further information, see http://blog.ghedini.me/post/10240771002/kernel-module-to-disable-ptrace Component Installation information ================================== For many distributions, patched kernel packages are available. Refer to your distro's information channels. Recommendations =============== It is recommended that all sites upgrade their systems to use patched kernels as quickly as possible. References ========== + Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0871 + NIST NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0871 + OSS-Sec: http://marc.info/?s=CVE-2013-0871&l=oss-security + Debian: https://security-tracker.debian.org/tracker/CVE-2013-0871 + Scientific Linux 5: http://listserv.fnal.gov/scripts/wa.exe?A2=ind1303&L=scientific-linux-errata&T=0&P=4000 + Scientific Linux 6: http://listserv.fnal.gov/scripts/wa.exe?A2=ind1303&L=scientific-linux-errata&T=0&P=4513 + Scientific Linux CERN 5: http://linux.web.cern.ch/linux/updates/updates-slc5.shtml#20130314 + Scientific Linux CERN 6: http://linux.web.cern.ch/linux/updates/updates-slc6.shtml#20130314 + Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0871 + Red Hat EL5: https://rhn.redhat.com/errata/RHSA-2013-0621.html + Red Hat EL5: https://rhn.redhat.com/errata/RHSA-2013-0567.html + Ubuntu: http://people.canonical.com/~ubuntu-security/cve/CVE-2013-0871