Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT ADVISORY [EGI-ADV-20130318] Title: Linux kernel ptrace vulnerability (CVE-2013-0871) [EGI-ADV-20130318] Date: 2013-03-18 Updated: 2013-03-19 URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/kernel-2013-03-18 Update Summary ============== + 2013-03-19: The exploit code has been enhanced so as to work reliably not only on virtual machines, but also on actual hardware. Introduction ============ Recently a vulnerability in the Linux kernel's ptrace() syscall was discovered. This issue allows for local privilege escalation, but was believed to be hard to exploit. At the end of last week, Immunity Inc. have claimed that they have exploit code that reliably works on both virtual machines and actual hardware. The exploit code is only available to customers of Immunity. The vulnerability has been assigned CVE-2013-0871. Details ======= A race condition in the ptrace() syscall request handling code allows an attacker to escalate her privileges when a process being debugged is sent a SIGKILL signal. The race condition appears to be very hard to win reliably, but it now appears that under certain circumstances reliable exploitation can be achieved. At this time, it is unclear whether Immunity's exploit code works only for 64-bit systems or for 32-bit systems as well, but in any case, they have announced before that it is their intention to port the exploit to 32-bit systems. Risk Category ============= This issue has been assessed as HIGH risk by the EGI CSIRT. If the working exploit code becomes publicly available, the risk assessment is expected to be raised to CRITICAL. Affected Software ================= + All Linux kernels in the 3.X series up to and including version 3.7.4, unless patched against this issue. + At least the most recent kernels in the 2.6.X Linux kernel series, unless patched against this issue. Exactly how far back this issue goes is not clear at this moment. Mitigation ========== We strongly advise not to try to work around the problem but to upgrade the kernel instead. Component Installation information ================================== For many distributions, patched kernel packages are available. Refer to your distro's information channels. Recommendations =============== It is recommended that all sites upgrade their systems to use patched kernels as quickly as possible. For RHEL-5-based systems, this means upgrading to at least kernel version 2.6.18-348.3.1, and for RHEL-6-based systems, upgrading to at least version 2.6.32-358.0.1. References ========== + Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0871 + NIST NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0871 + OSS-Sec: http://marc.info/?s=CVE-2013-0871&l=oss-security + Debian: https://security-tracker.debian.org/tracker/CVE-2013-0871 + Scientific Linux 5: http://listserv.fnal.gov/scripts/wa.exe?A2=ind1303&L=scientific-linux-errata&T=0&P=4000 + Scientific Linux 6: http://listserv.fnal.gov/scripts/wa.exe?A2=ind1303&L=scientific-linux-errata&T=0&P=4513 + Scientific Linux CERN 5: http://linux.web.cern.ch/linux/updates/updates-slc5.shtml#20130314 + Scientific Linux CERN 6: http://linux.web.cern.ch/linux/updates/updates-slc6.shtml#20130314 + Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0871 + Red Hat EL5: https://rhn.redhat.com/errata/RHSA-2013-0621.html + Red Hat EL6: https://rhn.redhat.com/errata/RHSA-2013-0567.html + Ubuntu: http://people.canonical.com/~ubuntu-security/cve/CVE-2013-0871