Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "EGI CSIRT:Alerts/kernel-2013-03-18"

From EGIWiki
Jump to navigation Jump to search
Line 53: Line 53:
==========
==========


It is possible to disable the ptrace() syscall in a customized kernel. However,
We strongly advise not to try to work around the problem but to upgrade the
this is not trivial, and prevents debugging in general.  For further
kernel instead.
information, see
  http://blog.ghedini.me/post/10240771002/kernel-module-to-disable-ptrace




Line 70: Line 68:


It is recommended that all sites upgrade their systems to use patched kernels as
It is recommended that all sites upgrade their systems to use patched kernels as
quickly as possible.
quickly as possible.  For RHEL-5-based systems, this means upgrading to at least
kernel version 2.6.18-348.3.1, and for RHEL-6-based systems, upgrading to at
least version 2.6.32-358.0.1.





Revision as of 17:04, 18 March 2013

** WHITE information - Unlimited distribution allowed                       **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI CSIRT ADVISORY [EGI-ADV-20130318]

Title:       Linux kernel ptrace vulnerability (CVE-2013-0871) [EGI-ADV-20130318]
Date:        2013-03-18
Updated:     2013-03-18

URL:         https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/kernel-2013-03-18


Introduction
============

Recently a vulnerability in the Linux kernel's ptrace() syscall was discovered.
This issue allows for local privilege escalation, but was believed to
be hard to exploit.  At the end of last week, Immunity Inc. have claimed that they
have exploit code that works on 64-bit virtual machines, and that they are
working on both 32-bit and non-VM versions.  This exploit code is only available to
customers of Immunity. The vulnerability has been assigned CVE-2013-0871.


Details
=======

A race condition in the ptrace() syscall request handling code allows an
attacker to escalate her privileges when a process being debugged is sent a
SIGKILL signal.  The race condition appears to be very hard to win reliably, but
it now appears that under certain circumstances reliable exploitation can be achieved.


Risk Category
=============

This issue has been assessed as HIGH risk by the EGI CSIRT.  If the working
exploit code becomes publicly available, the risk assessment is expected to be
raised to CRITICAL.


Affected Software
=================

+ All Linux kernels in the 3.X series up to and including version 3.7.4, unless
  patched against this issue.
+ At least the most recent kernels in the 2.6.X Linux kernel series, unless
  patched against this issue.  Exactly how far back this issue goes is not clear
  at this moment.


Mitigation
==========

We strongly advise not to try to work around the problem but to upgrade the
kernel instead.


Component Installation information
==================================

For many distributions, patched kernel packages are available.  Refer to your
distro's information channels.


Recommendations
===============

It is recommended that all sites upgrade their systems to use patched kernels as
quickly as possible.  For RHEL-5-based systems, this means upgrading to at least
kernel version 2.6.18-348.3.1, and for RHEL-6-based systems, upgrading to at
least version 2.6.32-358.0.1.


References
==========

+ Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0871
+ NIST NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0871
+ OSS-Sec: http://marc.info/?s=CVE-2013-0871&l=oss-security
+ Debian: https://security-tracker.debian.org/tracker/CVE-2013-0871
+ Scientific Linux 5: http://listserv.fnal.gov/scripts/wa.exe?A2=ind1303&L=scientific-linux-errata&T=0&P=4000
+ Scientific Linux 6: http://listserv.fnal.gov/scripts/wa.exe?A2=ind1303&L=scientific-linux-errata&T=0&P=4513
+ Scientific Linux CERN 5: http://linux.web.cern.ch/linux/updates/updates-slc5.shtml#20130314
+ Scientific Linux CERN 6: http://linux.web.cern.ch/linux/updates/updates-slc6.shtml#20130314
+ Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0871
+ Red Hat EL5: https://rhn.redhat.com/errata/RHSA-2013-0621.html
+ Red Hat EL6: https://rhn.redhat.com/errata/RHSA-2013-0567.html
+ Ubuntu: http://people.canonical.com/~ubuntu-security/cve/CVE-2013-0871