Difference between revisions of "EGI CSIRT:Alerts/liblinker-2010-10-18"
Jump to navigation
Jump to search
(Created page with 'Introduction ============ Earlier today, Tavis Ormandy released information about a vulnerability in GNU libc, complete with an exploit that on many systems can give any local u…') |
|||
Line 1: | Line 1: | ||
Introduction | Introduction | ||
============ | ============ | ||
Earlier today, Tavis Ormandy released information about a | Earlier today, Tavis Ormandy released information about a | ||
vulnerability in GNU libc, complete with an exploit that on many | vulnerability in GNU libc, complete with an exploit that on many | ||
systems can give any local user root privileges. (For full details, | systems can give any local user root privileges. (For full details, | ||
see the link below.) | see the link below.) | ||
This vulnerability has been labelled CVE-2010-3847, and is present on | This vulnerability has been labelled CVE-2010-3847, and is present on | ||
many Linux distributions, including RHEL/CentOS/SL 5 (but *not* RHEL 3 | many Linux distributions, including RHEL/CentOS/SL 5 (but *not* RHEL 3 | ||
and 4 and their derivatives). Vendor patches are not yet available. | and 4 and their derivatives). Vendor patches are not yet available. | ||
Details | Details | ||
======= | ======= | ||
As far as is known, the vulnerability can only be exploited if users can | As far as is known, the vulnerability can only be exploited if users can | ||
write to a file system that contains binaries with suid root | write to a file system that contains binaries with suid root | ||
permissions. (Since it is necessary for the attacker to create a hard | permissions. (Since it is necessary for the attacker to create a hard | ||
link to a suid root binary.) | link to a suid root binary.) | ||
This is, for instance, the case if /bin is located on the same | This is, for instance, the case if /bin is located on the same | ||
filesystem as /tmp (or any other user writable location, like /var/tmp, | filesystem as /tmp (or any other user writable location, like /var/tmp, | ||
/home, /var/lib/texmf, and so on). This is unfortunately a common | /home, /var/lib/texmf, and so on). This is unfortunately a common | ||
configuration. | configuration. | ||
Mitigation | Mitigation | ||
========== | ========== | ||
To make it impossible to make the required hard link, directories | To make it impossible to make the required hard link, directories | ||
containing suid/sgid binaries can be made to appear to as separate | containing suid/sgid binaries can be made to appear to as separate | ||
file systems by doing | file systems by doing | ||
mount -o bind /sbin /sbin | |||
for each such directory. | for each such directory. | ||
Please note that these commands must be re-run whenever the system is | Please note that these commands must be re-run whenever the system is | ||
rebooted, for example by adding them to a suitable init script. | rebooted, for example by adding them to a suitable init script. | ||
A baseline list of directories with suid/sgid binaries on a typical | A baseline list of directories with suid/sgid binaries on a typical | ||
RHEL 5 system is: | RHEL 5 system is: | ||
/bin | |||
/sbin | |||
/usr/bin | |||
/usr/libexec | |||
/usr/lpp | |||
/usr/sbin | |||
You should check for any additional site specific locations using a command | You should check for any additional site specific locations using a command | ||
like | like | ||
find / -type f \( -perm /u+s -o -perm /g+s \) | |||
that will list all files with suid/sgid permissions. | that will list all files with suid/sgid permissions. | ||
Recommendations | Recommendations | ||
=============== | =============== | ||
Apply the mitigation method above for all relevant locations. | Apply the mitigation method above for all relevant locations. | ||
You may wish to suspend user logins and job submission until these steps | You may wish to suspend user logins and job submission until these steps | ||
have been taken; please refer to your local site policy. | have been taken; please refer to your local site policy. | ||
Apply vendor updates as soon as they become available. | Apply vendor updates as soon as they become available. | ||
References | References | ||
========== | ========== | ||
http://seclists.org/fulldisclosure/2010/Oct/257 | http://seclists.org/fulldisclosure/2010/Oct/257 |
Revision as of 17:17, 18 October 2010
Introduction ============ Earlier today, Tavis Ormandy released information about a vulnerability in GNU libc, complete with an exploit that on many systems can give any local user root privileges. (For full details, see the link below.) This vulnerability has been labelled CVE-2010-3847, and is present on many Linux distributions, including RHEL/CentOS/SL 5 (but *not* RHEL 3 and 4 and their derivatives). Vendor patches are not yet available. Details ======= As far as is known, the vulnerability can only be exploited if users can write to a file system that contains binaries with suid root permissions. (Since it is necessary for the attacker to create a hard link to a suid root binary.) This is, for instance, the case if /bin is located on the same filesystem as /tmp (or any other user writable location, like /var/tmp, /home, /var/lib/texmf, and so on). This is unfortunately a common configuration. Mitigation ========== To make it impossible to make the required hard link, directories containing suid/sgid binaries can be made to appear to as separate file systems by doing mount -o bind /sbin /sbin for each such directory. Please note that these commands must be re-run whenever the system is rebooted, for example by adding them to a suitable init script. A baseline list of directories with suid/sgid binaries on a typical RHEL 5 system is: /bin /sbin /usr/bin /usr/libexec /usr/lpp /usr/sbin You should check for any additional site specific locations using a command like find / -type f \( -perm /u+s -o -perm /g+s \) that will list all files with suid/sgid permissions. Recommendations =============== Apply the mitigation method above for all relevant locations. You may wish to suspend user logins and job submission until these steps have been taken; please refer to your local site policy. Apply vendor updates as soon as they become available. References ========== http://seclists.org/fulldisclosure/2010/Oct/257