Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "EGI CSIRT:Alerts/libuser-2015-07-24"

From EGIWiki
Jump to navigation Jump to search
Line 3: Line 3:
<pre>
<pre>


* WHITE information - Unlimited distribution allowed                      **   
** WHITE information - Unlimited distribution allowed                      **   


** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **


EGI ADVISORY [EGI-ADV-20150724]  
EGI ADVISORY [EGI-ADV-20150724]  


Title:      EGI SVG Advisory 'Critical' risk libuser local root exploit CVE-2015-3245,  
Title:      **Update** EGI SVG Advisory 'Critical' risk libuser local root exploit CVE-2015-3245,  
CVE-2015-3246 for RedHat and derivatives.
CVE-2015-3246 for RedHat and derivatives.


Date:        2015-07-24
Date:        2015-07-24
Updated:     
Updated:    2015-07-30


URL:        https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/libuser-2015-07-24   
URL:        https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/libuser-2015-07-24   
Line 21: Line 20:
============
============


A vulnerability has been announced by RedHat concerning libuser [R 1], CVE-2015-3245,  
A vulnerability has been announced by RedHat concerning libuser [R 1], CVE-2015-3245, CVE-2015-3246
CVE-2015-3246 which allows local root exploit. Exploits which have been shown to work very  
which allows local root exploit. Exploits which have been shown to work very easily are publicly available.
easily are publicly available.
 
This vulnerability is present in the case of access via a local user account and its password.
Fortunately much of the access to the EGI infrastructure is NOT via this method; so much of the EGI
infrastructure is not likely to be affected.
 
However, if access via login with a local user and password is enabled, then sites should act quickly
to update.  One scenario in EGI where access is likely to be via this method is where 
User Interfaces (UIs) are made available with a local passwd file.  


This vulnerability is present in the case of access via a local user account and its password.
**Update 2015-07-30**
Fortunately much of the access to the EGI infrastructure is NOT via this method; so much of
the EGI infrastructure is not likely to be affected.


However, if access via login with a local user and password is enabled, then sites should act
As question on the target of the advisory were raised, sites are reminded that this advisory applies
quickly to update. One scenario in EGI where access is likely to be via this method is where
to all system with libuser installed and thus that they are expected to update to a non-vulnerable version.
User Interfaces (UIs) are made available with a local passwd file.
However, as for any vulnerability, sites can apply temporary mitigation (see the recommendations) if
an update is not an option.




Line 39: Line 44:
More details are available at [R 1], [R 2]  
More details are available at [R 1], [R 2]  


It is fairly common that people use the old-fashioned "simply rsync the passwd and shadow
It is fairly common that people use the old-fashioned "simply rsync the passwd and shadow files"  
files" method to distribute account information, and a likely attacker is somebody who has
method to distribute account information, and a likely attacker is somebody who has managed to steal  
managed to steal a password with a keyboard sniffer.  
a password with a keyboard sniffer.  
 


Risk category
Risk category
=============
=============


This issue has been assessed as 'Critical'  by the EGI CSIRT and EGI SVG Risk Assessment Team  
This issue has been assessed as 'Critical'  by the EGI CSIRT and EGI SVG Risk Assessment Team.
in cases where these services are vulnerable.  




Line 57: Line 60:


As far as we are aware, and from [R 2], this ONLY affects RedHat and its derivatives.
As far as we are aware, and from [R 2], this ONLY affects RedHat and its derivatives.




Line 64: Line 65:
==========
==========


Remove login via username and password or use technique described in [R 1]
**Update 2015-07-30**
 
The two possible (temporary) mitigations are:
- Disable all local accounts with local passwords (except root)  or
- Disable accesses to chsh/chfn via PAM as defined in [R1]




Component installation information
Component installation information
==================================
==================================


RedHat
RedHat
------
------


For RedHat 5 this is not going to be updated as stated in [R 1]. So if using Username and  
For RedHat 5 this is not going to be updated as stated in [R 1]. So if using Username and password
password for RH 5 and its derivatives there is a need to migrate to a more recent version of
for RH 5 and its derivatives there is a need to migrate to a more recent version of linux.  
linux. In the meantime there is the mitigation documented in [R 1].
In the meantime there is the mitigation documented in [R 1].


For RedHat 6 see [R 3]
For RedHat 6 see [R 3]
Line 82: Line 86:
For RedHat 7 see [R 4]
For RedHat 7 see [R 4]


 
**Update 2015-07-30** This patch is not yet available in SL6.


Recommendations
Recommendations
===============
===============


All those who provide services which are accessed via a local username and password must update
All those who provide services which are accessed via a local username and password must update  
urgently or take mitigating action.
urgently or take mitigating action.


All affected running resources MUST be either patched or otherwise have a work-around in place
All affected running resources MUST be either patched or otherwise have a work-around in place by
by 2015-07-31  T21:00+01:00. Sites failing to act and/or failing to respond to requests from  
2015-07-31  T21:00+01:00. Sites failing to act and/or failing to respond to requests from the EGI
the EGI CSIRT team risk site suspension.  
CSIRT team risk site suspension.
 
**Update 2015-07-30**
 
Due to the absence of release of any patch for Scientific Linux 6, sites that are not able to apply
the patch are highly encouraged to apply any of the above mitigation while waiting for the patch.




Line 119: Line 128:


We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome.  
We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome.  




Line 131: Line 139:
2015-07-24 Advisory drafted.
2015-07-24 Advisory drafted.
2015-07-24 Advisory sent to sites
2015-07-24 Advisory sent to sites
2015-07-30 Update for clarification


</pre>
</pre>

Revision as of 15:24, 30 July 2015

EGI-CSIRT web site EGI-CSIRT Public wiki EGI-CSIRT Contacts EGI-CSIRT Activities EGI-CSIRT Private wiki 



** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI ADVISORY [EGI-ADV-20150724] 

Title:       **Update** EGI SVG Advisory 'Critical' risk libuser local root exploit CVE-2015-3245, 
CVE-2015-3246 for RedHat and derivatives.

Date:        2015-07-24
Updated:     2015-07-30

URL:         https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/libuser-2015-07-24  

Introduction
============

A vulnerability has been announced by RedHat concerning libuser [R 1], CVE-2015-3245,  CVE-2015-3246
 which allows local root exploit. Exploits which have been shown to work very easily are publicly available.

This vulnerability is present in the case of access via a local user account and its password. 
Fortunately much of the access to the EGI infrastructure is NOT via this method; so much of the EGI 
infrastructure is not likely to be affected. 

However, if access via login with a local user and password is enabled, then sites should act quickly 
to update.  One scenario in EGI where access is likely to be via this method is where  
User Interfaces (UIs) are made available with a local passwd file. 

**Update 2015-07-30**

As question on the target of the advisory were raised, sites are reminded that this advisory applies
 to all system with libuser installed and thus that they are expected to update to a non-vulnerable version.
However, as for any vulnerability, sites can apply temporary mitigation (see the recommendations) if
 an update is not an option.


Details
=======

More details are available at [R 1], [R 2] 

It is fairly common that people use the old-fashioned "simply rsync the passwd and shadow files" 
method to distribute account information, and a likely attacker is somebody who has managed to steal 
a password with a keyboard sniffer. 

Risk category
=============

This issue has been assessed as 'Critical'  by the EGI CSIRT and EGI SVG Risk Assessment Team.  


Affected software
=================

Red Hat Linux 5, 6, and 7 and their derivatives.

As far as we are aware, and from [R 2], this ONLY affects RedHat and its derivatives.


Mitigation
==========

**Update 2015-07-30**

The two possible (temporary) mitigations are:
- Disable all local accounts with local passwords (except root)  or
- Disable accesses to chsh/chfn via PAM as defined in [R1]


Component installation information
==================================

RedHat
------

For RedHat 5 this is not going to be updated as stated in [R 1]. So if using Username and password
 for RH 5 and its derivatives there is a need to migrate to a more recent version of linux. 
In the meantime there is the mitigation documented in [R 1].

For RedHat 6 see [R 3]

For RedHat 7 see [R 4]

**Update 2015-07-30** This patch is not yet available in SL6.

Recommendations
===============

All those who provide services which are accessed via a local username and password must update 
urgently or take mitigating action.

All affected running resources MUST be either patched or otherwise have a work-around in place by
 2015-07-31  T21:00+01:00. Sites failing to act and/or failing to respond to requests from the EGI
 CSIRT team risk site suspension. 

**Update 2015-07-30**

Due to the absence of release of any patch for Scientific Linux 6, sites that are not able to apply
 the patch are highly encouraged to apply any of the above mitigation while waiting for the patch.


Credit
======

SVG was alerted to this vulnerability by Leif Nixon.

References
==========

[R 1] https://access.redhat.com/articles/1537873

[R 2] http://www.openwall.com/lists/oss-security/2015/07/23/16

[R 3] https://rhn.redhat.com/errata/RHSA-2015-1482.html

[R 4] https://rhn.redhat.com/errata/RHSA-2015-1483.html



Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. 


Timeline  
========
Yyyy-mm-dd

2015-07-23 SVG alerted to this vulnerability by Leif Nixon.
2015-07-23 Public exploit tested by Vincent Brillault, found to work easily
2015-07-23 All those who looked agreed on 'Critical' where exploitable.
2015-07-24 Advisory drafted.
2015-07-24 Advisory sent to sites
2015-07-30 Update for clarification
Retrieved from "https://wiki.egi.eu/w/index.php?title=EGI_CSIRT:Alerts/libuser-2015-07-24&oldid=82348"