Difference between revisions of "EGI CSIRT:Alerts/rds-2010-10-18"

From EGIWiki
Jump to: navigation, search
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
** WHITE information - Unlimited distribution allowed                        **
 +
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
 +
 +
EGI CSIRT ADVISORY [EGI-ADV-20101020]
 +
 +
Title:  HIGH Local root vulnerability in RDS (CVE-2010-3904) [EGI-ADV-20101020]
 +
Date: October 20, 2010
 +
URL:  https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-2010-10-18
 +
 
  Introduction
 
  Introduction
 
  ============
 
  ============
Line 6: Line 15:
 
  many systems can give any local user root privileges.
 
  many systems can give any local user root privileges.
 
   
 
   
  This vulnerability has been labelled CVE-2010-3904, and is present on
+
  This vulnerability has been labeled CVE-2010-3904, and is present on
 
  many Linux distributions, including RHEL/CentOS/SL 5 (but *not* RHEL 3
 
  many Linux distributions, including RHEL/CentOS/SL 5 (but *not* RHEL 3
  and 4 and their derivatives). Vendor patches are not yet available.
+
  and 4 and their derivatives). Vendor patches are so far only available
 +
for Ubuntu.
 +
 
   
 
   
 
  Details
 
  Details
Line 20: Line 31:
 
  Please note that the proof-of-concept exploit included in Rosenberg's
 
  Please note that the proof-of-concept exploit included in Rosenberg's
 
  advisory does not work on RHEL 5 derivatives because of certain
 
  advisory does not work on RHEL 5 derivatives because of certain
  implementation details, but the vulnerability *is* still present and
+
  implementation details, but the vulnerability *is* still present. The
easily exploited.
+
  EGI CSIRT has access to a non-public modified exploit that does work
   
+
  on RHEL 5.
However EGI CSIRT does have a working unpublished exploit code for
 
  RHEL5.
 
 
   
 
   
 
   
 
   
Line 37: Line 46:
 
   
 
   
 
  #!/bin/sh
 
  #!/bin/sh
 
+
 
  # Unload the module
 
  # Unload the module
 
   
 
   
Line 50: Line 59:
 
  # Blacklist the module
 
  # Blacklist the module
 
  echo "install rds /bin/true" > /etc/modprobe.d/disable-rds  
 
  echo "install rds /bin/true" > /etc/modprobe.d/disable-rds  
 +
echo "alias net-pf-28 off" >> /etc/modprobe.d/disable-rds
 
   
 
   
echo "alias net-pf-28 off" > /etc/modprobe.d/disable-rds"
 
 
 
  ------------------
 
  ------------------
 
   
 
   
 
  This will take effect immediately and does not require a reboot. The
 
  This will take effect immediately and does not require a reboot. The
 
  blacklisting will stay persistent across reboots.
 
  blacklisting will stay persistent across reboots.
+
 
 
  Please note that some clusters with Infiniband may actually use RDS.
 
  Please note that some clusters with Infiniband may actually use RDS.
 
  In these cases, the only solution is to deploy a patched kernel.
 
  In these cases, the only solution is to deploy a patched kernel.
 
   
 
   
 
+
 
  Recommendations
 
  Recommendations
 
  ===============
 
  ===============
Line 74: Line 82:
 
  ==========
 
  ==========
 
   
 
   
  Rosenberg's advisory:
+
  Rosenberg's advisory: http://www.vsecurity.com/resources/advisory/20101019-1/
http://www.vsecurity.com/resources/advisory/20101019-1/
+
 +
Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3904
 +
 +
Ubuntu kernel update:
 +
https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-October/001181.html

Latest revision as of 12:35, 20 October 2010

** WHITE information - Unlimited distribution allowed                        **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI CSIRT ADVISORY [EGI-ADV-20101020]

Title:  HIGH Local root vulnerability in RDS (CVE-2010-3904) [EGI-ADV-20101020]
Date: October 20, 2010
URL:  https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-2010-10-18

Introduction
============

Yesterday, Dan Rosenberg released information about a vulnerability in
the RDS module in the Linux kernel, complete with an exploit that on
many systems can give any local user root privileges.

This vulnerability has been labeled CVE-2010-3904, and is present on
many Linux distributions, including RHEL/CentOS/SL 5 (but *not* RHEL 3
and 4 and their derivatives). Vendor patches are so far only available
for Ubuntu.


Details
=======

The RDS module, when communicating over an RDS socket, performs
insufficient access permission checks, which lets an attacker
overwrite arbitrary kernel memory. This is easily exploited to give
root privileges.

Please note that the proof-of-concept exploit included in Rosenberg's
advisory does not work on RHEL 5 derivatives because of certain
implementation details, but the vulnerability *is* still present. The
EGI CSIRT has access to a non-public modified exploit that does work
on RHEL 5.


Mitigation
==========

Most systems do not utilize RDS and can simply block the vulnerability
by blacklisting the RDS module (after unloading it if it is present),
for instance by running this script:

------------------

#!/bin/sh

# Unload the module

if lsmod | grep -q '^rds '; then
  echo "RDS was loaded"
fi
rmmod rds 2>/dev/null
if lsmod | grep -q '^rds '; then
  echo "FAILED to unload RDS"
fi

# Blacklist the module
echo "install rds /bin/true" > /etc/modprobe.d/disable-rds 
echo "alias net-pf-28 off" >> /etc/modprobe.d/disable-rds

------------------

This will take effect immediately and does not require a reboot. The
blacklisting will stay persistent across reboots.
 
Please note that some clusters with Infiniband may actually use RDS.
In these cases, the only solution is to deploy a patched kernel.


Recommendations
===============

Immediately apply the mitigation described above to all
user-accessible systems.

Apply vendor kernel updates when they become available.


References
==========

Rosenberg's advisory: http://www.vsecurity.com/resources/advisory/20101019-1/

Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3904

Ubuntu kernel update:
https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-October/001181.html