Difference between revisions of "EGI CSIRT:Alerts/kernel-2013-05-14"

From EGIWiki
Jump to: navigation, search
Line 21: Line 21:
 
============
 
============
  
A recently-discovered vulnerability in the Linux kernel allows a local user to escalate their privilege level and gain root access.  Working exploit code is publicly available.
+
A recently-discovered vulnerability in the Linux kernel allows a local user
 +
to escalate their privilege level and gain root access.  Working exploit code
 +
is publicly available.
  
  
Line 27: Line 29:
 
=======
 
=======
  
The performance measurement subsystem in the Linux kernel incorrectly casts a 64-bit integer into a 32-bit integer which is subsequently used for array dereferencing.  Providing carefully chosen integers as input allows arbitrary code to be executed.
+
The performance measurement subsystem in the Linux kernel incorrectly casts a
 +
64-bit integer into a 32-bit integer which is subsequently used for array
 +
dereferencing.  Providing carefully chosen integers as input allows arbitrary
 +
code to be executed.
  
The erroneous code has been introduced in kernel version 2.6.37-3.8.8 (commit b0a873ebbf87bf38bf70b5e39a7cadc96099fa13 on 2010-09-09) and is fixed in kernel version 3.8.9 (commit 8176cced706b5e5d15887584150764894e94e02f on 2013-04-15). Additionally, the vulnerability was backported to 2.6.32 kernels by Red Hat.
+
The erroneous code has been introduced in kernel version 2.6.37 (commit
 +
b0a873ebbf87bf38bf70b5e39a7cadc96099fa13 on 2010-09-09) and is fixed in kernel
 +
version 3.8.9 (commit 8176cced706b5e5d15887584150764894e94e02f on 2013-04-15).
 +
Additionally, the vulnerability was backported to 2.6.32 kernels by Red Hat.
  
Working exploit code is publicly available.  This code will not work on all vulnerable distributions; however, it appears to work on RHEL 6 and derived systems.
+
Working exploit code is publicly available.  This code will not work on all
 +
vulnerable distributions; however, it appears to work on RHEL 6 and derived
 +
systems.
  
  
Line 37: Line 47:
 
=============
 
=============
  
This issue has been assessed as CRITICAL risk by the EGI CSIRT as a working exploit is publicly available.
+
This issue has been assessed as CRITICAL risk by the EGI CSIRT as a working
 +
exploit is publicly available.
  
  
Line 50: Line 61:
 
==========
 
==========
  
There is no known mitigation that completely addresses the issue. However, disabling user-level kernel profiling prevents the published exploit code from working correctly.  This (incomplete) mitigation can be done by running
+
To mitigate the issue, install the systemtap package and create a
 +
file /root/mitigation.stp containing the following (without the
 +
BEGIN/END marker lines):
 +
---BEGIN FILE---
 +
%{
 +
#include <linux/perf_event.h>
 +
%}
 +
 
 +
function sanitize_config:long (event:long) %{
 +
        struct perf_event *event;
 +
        event = (struct perf_event *) (long) STAP_ARG_event;
 +
        event->attr.config &= INT_MAX;
 +
%}
 +
 
 +
probe kernel.function("perf_swevent_init@kernel/events/core.c").call {
 +
        sanitize_config($event);
 +
}
 +
---END FILE---
 +
 
 +
Then, run the command
 +
  stap -g /root/mitigation.stp
 +
 
 +
Note that this needs to be re-run after every reboot.
 +
 
 +
A much easier mitigation that will only(!) prevent the published exploit
 +
code from working correctly can be performed by disabling user-level
 +
kernel profiling:
 
   sysctl kernel.perf_event_paranoid=2
 
   sysctl kernel.perf_event_paranoid=2
as root.
 
  
 +
Both mitigations are discussed in more detail at
 +
  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2094
  
 
Component Installation information
 
Component Installation information
Line 65: Line 103:
 
===============
 
===============
  
It is recommended that sites implement the mitigation described above unless kernel profiling is essential and upgrade their kernels as soon as possible as they become available for their respective distributions.
+
It is recommended that sites implement the mitigation described above unless
 +
kernel profiling is essential and upgrade their kernels as soon as possible
 +
as they become available for their respective distributions.
  
  

Revision as of 20:31, 14 May 2013

** WHITE information - Unlimited distribution allowed                       **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI CSIRT ADVISORY [EGI-ADV-20130514]

Title:       Linux kernel perf_event vulnerability (CVE-2013-2094) [EGI-ADV-20130514]
Date:        2013-05-14
Updated:     2013-05-14

URL:         https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/kernel-2013-05-14


Update Summary
==============

 + 2013-05-14: Initial revision.


Introduction
============

A recently-discovered vulnerability in the Linux kernel allows a local user
to escalate their privilege level and gain root access.  Working exploit code
is publicly available.


Details
=======

The performance measurement subsystem in the Linux kernel incorrectly casts a
64-bit integer into a 32-bit integer which is subsequently used for array
dereferencing.  Providing carefully chosen integers as input allows arbitrary
code to be executed.

The erroneous code has been introduced in kernel version 2.6.37 (commit
b0a873ebbf87bf38bf70b5e39a7cadc96099fa13 on 2010-09-09) and is fixed in kernel
version 3.8.9 (commit 8176cced706b5e5d15887584150764894e94e02f on 2013-04-15).
Additionally, the vulnerability was backported to 2.6.32 kernels by Red Hat.

Working exploit code is publicly available.  This code will not work on all
vulnerable distributions; however, it appears to work on RHEL 6 and derived
systems.


Risk Category
=============

This issue has been assessed as CRITICAL risk by the EGI CSIRT as a working
exploit is publicly available.


Affected Software
=================

 + Linux kernels 2.6.36-3.8.8 through 3.8.9.
 + Linux kernels 2.6.32 with Red Hat backports.


Mitigation
==========

To mitigate the issue, install the systemtap package and create a
file /root/mitigation.stp containing the following (without the
BEGIN/END marker lines):
---BEGIN FILE---
%{
#include <linux/perf_event.h>
%}

function sanitize_config:long (event:long) %{
        struct perf_event *event;
        event = (struct perf_event *) (long) STAP_ARG_event;
        event->attr.config &= INT_MAX;
%}

probe kernel.function("perf_swevent_init@kernel/events/core.c").call {
        sanitize_config($event);
}
---END FILE---

Then, run the command
  stap -g /root/mitigation.stp

Note that this needs to be re-run after every reboot.

A much easier mitigation that will only(!) prevent the published exploit
code from working correctly can be performed by disabling user-level
kernel profiling:
  sysctl kernel.perf_event_paranoid=2

Both mitigations are discussed in more detail at
  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2094

Component Installation information
==================================

For many distributions, patched kernel packages are available.  Refer to your
distro's information channels.


Recommendations
===============

It is recommended that sites implement the mitigation described above unless
kernel profiling is essential and upgrade their kernels as soon as possible
as they become available for their respective distributions.


References
==========

 + Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2094
 + NIST NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2094
 + OSS-Sec: http://marc.info/?s=CVE-2013-2094&l=oss-security
 + Debian: https://security-tracker.debian.org/tracker/CVE-2013-2094
 + Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2094
 + Ubuntu: http://people.canonical.com/~ubuntu-security/cve/CVE-2013-2094