EGI CSIRT:Alerts/libuser-2015-07-24

From EGIWiki
Revision as of 14:29, 24 July 2015 by Cornwall (talk | contribs) (Created page with " {{New-Egi-csirt-header}} <pre> * WHITE information - Unlimited distribution allowed ** ** see for distribution...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
EGI-CSIRT web site EGI-CSIRT Public wiki EGI-CSIRT Contacts EGI-CSIRT Activities EGI-CSIRT Private wiki

* WHITE information - Unlimited distribution allowed                       **  

** see for distribution restrictions **


Title:       EGI SVG Advisory 'Critical' risk libuser local root exploit CVE-2015-3245, 
CVE-2015-3246 for RedHat and derivatives.

Date:        2015-07-24



A vulnerability has been announced by RedHat concerning libuser [R 1], CVE-2015-3245, 
CVE-2015-3246 which allows local root exploit. Exploits which have been shown to work very 
easily are publicly available.

This vulnerability is present in the case of access via a local user account and its password.
Fortunately much of the access to the EGI infrastructure is NOT via this method; so much of 
the EGI infrastructure is not likely to be affected. 

However, if access via login with a local user and password is enabled, then sites should act
quickly to update.  One scenario in EGI where access is likely to be via this method is where 
User Interfaces (UIs) are made available with a local passwd file.  


More details are available at [R 1], [R 2] 

It is fairly common that people use the old-fashioned "simply rsync the passwd and shadow
files" method to distribute account information, and a likely attacker is somebody who has
managed to steal a password with a keyboard sniffer. 

Risk category

This issue has been assessed as 'Critical'  by the EGI CSIRT and EGI SVG Risk Assessment Team 
in cases where these services are vulnerable. 

Affected software

Red Hat Linux 5, 6, and 7 and their derivatives.

As far as we are aware, and from [R 2], this ONLY affects RedHat and its derivatives.


Remove login via username and password or use technique described in [R 1]

Component installation information


For RedHat 5 this is not going to be updated as stated in [R 1]. So if using Username and 
password for RH 5 and its derivatives there is a need to migrate to a more recent version of
linux. In the meantime there is the mitigation documented in [R 1].

For RedHat 6 see [R 2]

For RedHat 7 see [R 3]


All those who provide services which are accessed via a local username and password must update
urgently or take mitigating action.

All affected running resources MUST be either patched or otherwise have a work-around in place
by 2015-07-31  T21:00+01:00. Sites failing to act and/or failing to respond to requests from 
the EGI CSIRT team risk site suspension. 


SVG was alerted to this vulnerability by Leif Nixon.


[R 1]

[R 2]

[R 3]

[R 4]


Comments or questions should be sent to svg-rat  at

We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. 


2015-07-23 SVG alerted to this vulnerability by Leif Nixon.
2015-07-23 Public exploit tested by Vincent Brillault, found to work easily
2015-07-23 All those who looked agreed on 'Critical' where exploitable.
2015-07-24 Advisory drafted.
2015-07-24 Advisory sent to sites