Difference between revisions of "EGI CSIRT:Alerts/rds-2010-10-18"

From EGIWiki
Jump to: navigation, search
Line 8: Line 8:
 
  URL:  https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-2010-10-18
 
  URL:  https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-2010-10-18
 
   
 
   
Introduction
+
 
============
 
 
Yesterday, Dan Rosenberg released information about a vulnerability in
 
the RDS module in the Linux kernel, complete with an exploit that on
 
many systems can give any local user root privileges.
 
 
This vulnerability has been labelled CVE-2010-3904, and is present on
 
many Linux distributions, including RHEL/CentOS/SL 5 (but *not* RHEL 3
 
and 4 and their derivatives). Vendor patches are not yet available.
 
 
Details
 
=======
 
 
The RDS module, when communicating over an RDS socket, performs
 
insufficient access permission checks, which lets an attacker
 
overwrite arbitrary kernel memory. This is easily exploited to give
 
root privileges.
 
 
Please note that the proof-of-concept exploit included in Rosenberg's
 
advisory does not work on RHEL 5 derivatives because of certain
 
implementation details, but the vulnerability *is* still present and
 
easily exploited.
 
 
However EGI CSIRT does have a working unpublished exploit code for
 
RHEL5.
 
 
 
Mitigation
 
==========
 
 
Most systems do not utilize RDS and can simply block the vulnerability
 
by blacklisting the RDS module (after unloading it if it is present),
 
for instance by running this script:
 
 
------------------
 
 
 
#!/bin/sh
 
 
# Unload the module
 
 
if lsmod | grep -q '^rds '; then
 
  echo "RDS was loaded"
 
fi
 
rmmod rds 2>/dev/null
 
if lsmod | grep -q '^rds '; then
 
  echo "FAILED to unload RDS"
 
fi
 
 
# Blacklist the module
 
echo "install rds /bin/true" > /etc/modprobe.d/disable-rds
 
 
 
echo "alias net-pf-28 off" > /etc/modprobe.d/disable-rds
 
 
------------------
 
 
This will take effect immediately and does not require a reboot. The
 
blacklisting will stay persistent across reboots.
 
 
Please note that some clusters with Infiniband may actually use RDS.
 
In these cases, the only solution is to deploy a patched kernel.
 
 
 
 
Recommendations
 
===============
 
 
Immediately apply the mitigation described above to all
 
user-accessible systems.
 
 
Apply vendor kernel updates when they become available.
 
 
 
References
 
==========
 
 
Rosenberg's advisory:
 
http://www.vsecurity.com/resources/advisory/20101019-1/
 
 
    
 
    
 
  RedHat Bugzilla:
 
  RedHat Bugzilla:
 
  https://bugzilla.redhat.com/show_bug.cgi?id=642896
 
  https://bugzilla.redhat.com/show_bug.cgi?id=642896

Revision as of 12:33, 20 October 2010

** WHITE information - Unlimited distribution allowed                        **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI CSIRT ADVISORY [EGI-ADV-20101020]

Title:  HIGH Local root vulnerability in RDS (CVE-2010-3904) [EGI-ADV-20101020]
Date: October 20, 2010
URL:  https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-2010-10-18


RedHat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=642896