Difference between revisions of "EGI CSIRT:Alerts/rds-2010-10-18"
Jump to navigation
Jump to search
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
** WHITE information - Unlimited distribution allowed | ** WHITE information - Unlimited distribution allowed ** | ||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | ||
Line 15: | Line 15: | ||
many systems can give any local user root privileges. | many systems can give any local user root privileges. | ||
This vulnerability has been | This vulnerability has been labeled CVE-2010-3904, and is present on | ||
many Linux distributions, including RHEL/CentOS/SL 5 (but *not* RHEL 3 | many Linux distributions, including RHEL/CentOS/SL 5 (but *not* RHEL 3 | ||
and 4 and their derivatives). Vendor patches are | and 4 and their derivatives). Vendor patches are so far only available | ||
for Ubuntu. | |||
Details | Details | ||
Line 29: | Line 31: | ||
Please note that the proof-of-concept exploit included in Rosenberg's | Please note that the proof-of-concept exploit included in Rosenberg's | ||
advisory does not work on RHEL 5 derivatives because of certain | advisory does not work on RHEL 5 derivatives because of certain | ||
implementation details, but the vulnerability *is* still present | implementation details, but the vulnerability *is* still present. The | ||
EGI CSIRT has access to a non-public modified exploit that does work | |||
on RHEL 5. | |||
Line 44: | Line 44: | ||
------------------ | ------------------ | ||
#!/bin/sh | #!/bin/sh | ||
Line 59: | Line 59: | ||
# Blacklist the module | # Blacklist the module | ||
echo "install rds /bin/true" > /etc/modprobe.d/disable-rds | echo "install rds /bin/true" > /etc/modprobe.d/disable-rds | ||
echo "alias net-pf-28 off" >> /etc/modprobe.d/disable-rds | |||
echo "alias net-pf-28 off" > /etc/modprobe.d/disable-rds | |||
------------------ | ------------------ | ||
Line 66: | Line 65: | ||
This will take effect immediately and does not require a reboot. The | This will take effect immediately and does not require a reboot. The | ||
blacklisting will stay persistent across reboots. | blacklisting will stay persistent across reboots. | ||
Please note that some clusters with Infiniband may actually use RDS. | Please note that some clusters with Infiniband may actually use RDS. | ||
In these cases, the only solution is to deploy a patched kernel. | In these cases, the only solution is to deploy a patched kernel. | ||
Recommendations | Recommendations | ||
=============== | =============== | ||
Line 83: | Line 82: | ||
========== | ========== | ||
Rosenberg's advisory: | Rosenberg's advisory: http://www.vsecurity.com/resources/advisory/20101019-1/ | ||
Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3904 | |||
Ubuntu kernel update: | |||
https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-October/001181.html |
Latest revision as of 12:35, 20 October 2010
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT ADVISORY [EGI-ADV-20101020] Title: HIGH Local root vulnerability in RDS (CVE-2010-3904) [EGI-ADV-20101020] Date: October 20, 2010 URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-2010-10-18 Introduction ============ Yesterday, Dan Rosenberg released information about a vulnerability in the RDS module in the Linux kernel, complete with an exploit that on many systems can give any local user root privileges. This vulnerability has been labeled CVE-2010-3904, and is present on many Linux distributions, including RHEL/CentOS/SL 5 (but *not* RHEL 3 and 4 and their derivatives). Vendor patches are so far only available for Ubuntu. Details ======= The RDS module, when communicating over an RDS socket, performs insufficient access permission checks, which lets an attacker overwrite arbitrary kernel memory. This is easily exploited to give root privileges. Please note that the proof-of-concept exploit included in Rosenberg's advisory does not work on RHEL 5 derivatives because of certain implementation details, but the vulnerability *is* still present. The EGI CSIRT has access to a non-public modified exploit that does work on RHEL 5. Mitigation ========== Most systems do not utilize RDS and can simply block the vulnerability by blacklisting the RDS module (after unloading it if it is present), for instance by running this script: ------------------ #!/bin/sh # Unload the module if lsmod | grep -q '^rds '; then echo "RDS was loaded" fi rmmod rds 2>/dev/null if lsmod | grep -q '^rds '; then echo "FAILED to unload RDS" fi # Blacklist the module echo "install rds /bin/true" > /etc/modprobe.d/disable-rds echo "alias net-pf-28 off" >> /etc/modprobe.d/disable-rds ------------------ This will take effect immediately and does not require a reboot. The blacklisting will stay persistent across reboots. Please note that some clusters with Infiniband may actually use RDS. In these cases, the only solution is to deploy a patched kernel. Recommendations =============== Immediately apply the mitigation described above to all user-accessible systems. Apply vendor kernel updates when they become available. References ========== Rosenberg's advisory: http://www.vsecurity.com/resources/advisory/20101019-1/ Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3904 Ubuntu kernel update: https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-October/001181.html