Difference between revisions of "EGI CSIRT:Alerts/kernel-2013-03-18"

From EGIWiki
Jump to: navigation, search
(Created page with "<pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT ADV...")
 
(Added update summary.)
 
(5 intermediate revisions by 3 users not shown)
Line 7: Line 7:
 
Title:      Linux kernel ptrace vulnerability (CVE-2013-0871) [EGI-ADV-20130318]
 
Title:      Linux kernel ptrace vulnerability (CVE-2013-0871) [EGI-ADV-20130318]
 
Date:        2013-03-18
 
Date:        2013-03-18
Updated:    2013-03-18
+
Updated:    2013-03-19
  
 
URL:        https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/kernel-2013-03-18
 
URL:        https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/kernel-2013-03-18
 +
 +
 +
Update Summary
 +
==============
 +
 +
+ 2013-03-19: The exploit code has been enhanced so as to work reliably not
 +
              only on virtual machines, but also on actual hardware.
  
  
Line 15: Line 22:
 
============
 
============
  
Recently, a vulnerability in the Linux kernel's ptrace() syscall has been
+
Recently a vulnerability in the Linux kernel's ptrace() syscall was discovered.
discovered. This issue allows for local privilege escalation, but is actually
+
This issue allows for local privilege escalation, but was believed to be hard to
hard to exploit.  At the end of last week, Immunity Inc. have claimed that they
+
exploit.  At the end of last week, Immunity Inc. have claimed that they have
have exploit code that works on 64-bit virtual machines, and that they are
+
exploit code that reliably works on both virtual machines and actual hardware.
working on both 32-bit and non-VM versions.  The vulnerability has been assigned
+
The exploit code is only available to customers of Immunity.  The vulnerability
CVE-2013-0871.
+
has been assigned CVE-2013-0871.
  
  
Line 29: Line 36:
 
attacker to escalate her privileges when a process being debugged is sent a
 
attacker to escalate her privileges when a process being debugged is sent a
 
SIGKILL signal.  The race condition appears to be very hard to win reliably, but
 
SIGKILL signal.  The race condition appears to be very hard to win reliably, but
under certain circumstances this is facilitated.
+
it now appears that under certain circumstances reliable exploitation can be
 +
achieved.  At this time, it is unclear whether Immunity's exploit code works
 +
only for 64-bit systems or for 32-bit systems as well, but in any case, they
 +
have announced before that it is their intention to port the exploit to 32-bit
 +
systems.
  
  
Line 43: Line 54:
 
=================
 
=================
  
+ All Linux kernels in the 3.X series up to and including version 3.7.4, unless
+
+ All Linux kernels in the 3.X series up to and including version 3.7.4, unless
  patched against this issue.
+
  patched against this issue.
+ At least the most recent kernels in the 2.6.X Linux kernel series, unless
+
 
  patched against this issue.  Exactly how far back this issue goes is not clear
+
+ At least the most recent kernels in the 2.6.X Linux kernel series, unless
  at this moment.
+
  patched against this issue.  Exactly how far back this issue goes is not
 +
  clear at this moment.
  
  
Line 53: Line 65:
 
==========
 
==========
  
It is possible to disable the ptrace() syscall in a customized kernel. However,
+
We strongly advise not to try to work around the problem but to upgrade the
this is not trivial, and prevents debugging in general.  For further
+
kernel instead.
information, see
 
  http://blog.ghedini.me/post/10240771002/kernel-module-to-disable-ptrace
 
  
  
Line 70: Line 80:
  
 
It is recommended that all sites upgrade their systems to use patched kernels as
 
It is recommended that all sites upgrade their systems to use patched kernels as
quickly as possible.
+
quickly as possible.  For RHEL-5-based systems, this means upgrading to at least
 +
kernel version 2.6.18-348.3.1, and for RHEL-6-based systems, upgrading to at
 +
least version 2.6.32-358.0.1.
  
  
Line 76: Line 88:
 
==========
 
==========
  
+ Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0871
+
+ Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0871
+ NIST NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0871
+
+ NIST NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0871
+ OSS-Sec: http://marc.info/?s=CVE-2013-0871&l=oss-security
+
+ OSS-Sec: http://marc.info/?s=CVE-2013-0871&l=oss-security
+ Debian: https://security-tracker.debian.org/tracker/CVE-2013-0871
+
+ Debian: https://security-tracker.debian.org/tracker/CVE-2013-0871
+ Scientific Linux 5: http://listserv.fnal.gov/scripts/wa.exe?A2=ind1303&L=scientific-linux-errata&T=0&P=4000
+
+ Scientific Linux 5: http://listserv.fnal.gov/scripts/wa.exe?A2=ind1303&L=scientific-linux-errata&T=0&P=4000
+ Scientific Linux 6: http://listserv.fnal.gov/scripts/wa.exe?A2=ind1303&L=scientific-linux-errata&T=0&P=4513
+
+ Scientific Linux 6: http://listserv.fnal.gov/scripts/wa.exe?A2=ind1303&L=scientific-linux-errata&T=0&P=4513
+ Scientific Linux CERN 5: http://linux.web.cern.ch/linux/updates/updates-slc5.shtml#20130314
+
+ Scientific Linux CERN 5: http://linux.web.cern.ch/linux/updates/updates-slc5.shtml#20130314
+ Scientific Linux CERN 6: http://linux.web.cern.ch/linux/updates/updates-slc6.shtml#20130314
+
+ Scientific Linux CERN 6: http://linux.web.cern.ch/linux/updates/updates-slc6.shtml#20130314
+ Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0871
+
+ Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0871
+ Red Hat EL5: https://rhn.redhat.com/errata/RHSA-2013-0621.html
+
+ Red Hat EL5: https://rhn.redhat.com/errata/RHSA-2013-0621.html
+ Red Hat EL5: https://rhn.redhat.com/errata/RHSA-2013-0567.html
+
+ Red Hat EL6: https://rhn.redhat.com/errata/RHSA-2013-0567.html
+ Ubuntu: http://people.canonical.com/~ubuntu-security/cve/CVE-2013-0871
+
+ Ubuntu: http://people.canonical.com/~ubuntu-security/cve/CVE-2013-0871
 
</pre>
 
</pre>

Latest revision as of 19:12, 19 March 2013

** WHITE information - Unlimited distribution allowed                       **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI CSIRT ADVISORY [EGI-ADV-20130318]

Title:       Linux kernel ptrace vulnerability (CVE-2013-0871) [EGI-ADV-20130318]
Date:        2013-03-18
Updated:     2013-03-19

URL:         https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/kernel-2013-03-18


Update Summary
==============

 + 2013-03-19: The exploit code has been enhanced so as to work reliably not
               only on virtual machines, but also on actual hardware.


Introduction
============

Recently a vulnerability in the Linux kernel's ptrace() syscall was discovered.
This issue allows for local privilege escalation, but was believed to be hard to
exploit.  At the end of last week, Immunity Inc. have claimed that they have
exploit code that reliably works on both virtual machines and actual hardware.
The exploit code is only available to customers of Immunity.  The vulnerability
has been assigned CVE-2013-0871.


Details
=======

A race condition in the ptrace() syscall request handling code allows an
attacker to escalate her privileges when a process being debugged is sent a
SIGKILL signal.  The race condition appears to be very hard to win reliably, but
it now appears that under certain circumstances reliable exploitation can be
achieved.  At this time, it is unclear whether Immunity's exploit code works
only for 64-bit systems or for 32-bit systems as well, but in any case, they
have announced before that it is their intention to port the exploit to 32-bit
systems.


Risk Category
=============

This issue has been assessed as HIGH risk by the EGI CSIRT.  If the working
exploit code becomes publicly available, the risk assessment is expected to be
raised to CRITICAL.


Affected Software
=================

 + All Linux kernels in the 3.X series up to and including version 3.7.4, unless
   patched against this issue.

 + At least the most recent kernels in the 2.6.X Linux kernel series, unless
   patched against this issue.  Exactly how far back this issue goes is not
   clear at this moment.


Mitigation
==========

We strongly advise not to try to work around the problem but to upgrade the
kernel instead.


Component Installation information
==================================

For many distributions, patched kernel packages are available.  Refer to your
distro's information channels.


Recommendations
===============

It is recommended that all sites upgrade their systems to use patched kernels as
quickly as possible.  For RHEL-5-based systems, this means upgrading to at least
kernel version 2.6.18-348.3.1, and for RHEL-6-based systems, upgrading to at
least version 2.6.32-358.0.1.


References
==========

 + Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0871
 + NIST NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0871
 + OSS-Sec: http://marc.info/?s=CVE-2013-0871&l=oss-security
 + Debian: https://security-tracker.debian.org/tracker/CVE-2013-0871
 + Scientific Linux 5: http://listserv.fnal.gov/scripts/wa.exe?A2=ind1303&L=scientific-linux-errata&T=0&P=4000
 + Scientific Linux 6: http://listserv.fnal.gov/scripts/wa.exe?A2=ind1303&L=scientific-linux-errata&T=0&P=4513
 + Scientific Linux CERN 5: http://linux.web.cern.ch/linux/updates/updates-slc5.shtml#20130314
 + Scientific Linux CERN 6: http://linux.web.cern.ch/linux/updates/updates-slc6.shtml#20130314
 + Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0871
 + Red Hat EL5: https://rhn.redhat.com/errata/RHSA-2013-0621.html
 + Red Hat EL6: https://rhn.redhat.com/errata/RHSA-2013-0567.html
 + Ubuntu: http://people.canonical.com/~ubuntu-security/cve/CVE-2013-0871