Difference between revisions of "EGI CSIRT:Alerts/rds-2010-10-20"

From EGIWiki
Jump to: navigation, search
(Created page with ' ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT ADVI…')
 
 
(3 intermediate revisions by 2 users not shown)
Line 4: Line 4:
 
  EGI CSIRT ADVISORY [EGI-ADV-20101020]
 
  EGI CSIRT ADVISORY [EGI-ADV-20101020]
 
   
 
   
  Title: HIGH Local root vulnerability in RDS (CVE-2010-3904) [EGI-ADV-20101020]
+
  Title:       HIGH Local root vulnerability in RDS (CVE-2010-3904) [EGI-ADV-20101020]
  Date: October 20, 2010
+
  Date:       October 20, 2010
  URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-2010-10-18
+
Last update: November 01, 2010
 +
  URL:         https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-2010-10-20
 
   
 
   
 
  Introduction
 
  Introduction
Line 16: Line 17:
 
   
 
   
 
  This vulnerability has been labeled CVE-2010-3904, and is present on
 
  This vulnerability has been labeled CVE-2010-3904, and is present on
  many Linux distributions, including RHEL/CentOS/SL 5 (but *not* RHEL 3
+
  many Linux distributions, including RHEL/CentOS/SL 5.  Other RHEL releases
  and 4 and their derivatives). Vendor patches are so far only available
+
may also be vulnerable if the OFED Infiniband stack is installed, which
for Ubuntu.
+
also includes the vulnerable kernel module.  If in doubt, system
 +
  administrators should consider their systems to be vulnerable unless
 +
they know for sure that there is no RDS kernel module present. Vendor
 +
patches are available for most distributions.
 
   
 
   
 
   
 
   
Line 68: Line 72:
 
  Please note that some clusters with Infiniband may actually use RDS.
 
  Please note that some clusters with Infiniband may actually use RDS.
 
  In these cases, the only solution is to deploy a patched kernel.
 
  In these cases, the only solution is to deploy a patched kernel.
 +
In most cases, however, even clusters with Infiniband will not
 +
actually use RDS, even though the RDS kernel module is also included
 +
in the OFED Infiniband stack.
 
   
 
   
 
   
 
   
Line 76: Line 83:
 
  user-accessible systems.
 
  user-accessible systems.
 
   
 
   
  Apply vendor kernel updates when they become available.
+
  Apply vendor kernel updates when they become available. Patches are available for
 +
* Ubuntu
 +
* RHEL5
 +
* SL5
 +
* SLC5
 +
* CentOS5
 
   
 
   
 
   
 
   
Line 88: Line 100:
 
  Ubuntu kernel update:
 
  Ubuntu kernel update:
 
  https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-October/001181.html
 
  https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-October/001181.html
 +
 +
RHEL5 update:
 +
https://rhn.redhat.com/errata/RHSA-2010-0792.html
 +
 +
SL5 update:
 +
http://listserv.fnal.gov/scripts/wa.exe?A2=ind1010&L=scientific-linux-errata&T=0&P=2892
 +
 +
SLC5 update:
 +
http://linux.web.cern.ch/linux/updates/updates-slc5.shtml#27.10.2010.shtml
 +
 +
CentOS5 update:
 +
http://lists.centos.org/pipermail/centos-announce/2010-October/017121.html

Latest revision as of 10:39, 1 November 2010

** WHITE information - Unlimited distribution allowed                        **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI CSIRT ADVISORY [EGI-ADV-20101020]

Title:       HIGH Local root vulnerability in RDS (CVE-2010-3904) [EGI-ADV-20101020]
Date:        October 20, 2010
Last update: November 01, 2010
URL:         https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-2010-10-20

Introduction
============

Yesterday, Dan Rosenberg released information about a vulnerability in
the RDS module in the Linux kernel, complete with an exploit that on
many systems can give any local user root privileges.

This vulnerability has been labeled CVE-2010-3904, and is present on
many Linux distributions, including RHEL/CentOS/SL 5.  Other RHEL releases
may also be vulnerable if the OFED Infiniband stack is installed, which
also includes the vulnerable kernel module.  If in doubt, system
administrators should consider their systems to be vulnerable unless
they know for sure that there is no RDS kernel module present. Vendor
patches are available for most distributions.


Details
=======

The RDS module, when communicating over an RDS socket, performs
insufficient access permission checks, which lets an attacker
overwrite arbitrary kernel memory. This is easily exploited to give
root privileges.

Please note that the proof-of-concept exploit included in Rosenberg's
advisory does not work on RHEL 5 derivatives because of certain
implementation details, but the vulnerability *is* still present. The
EGI CSIRT has access to a non-public modified exploit that does work
on RHEL 5.


Mitigation
==========

Most systems do not utilize RDS and can simply block the vulnerability
by blacklisting the RDS module (after unloading it if it is present),
for instance by running this script:

------------------

#!/bin/sh

# Unload the module

if lsmod | grep -q '^rds '; then
  echo "RDS was loaded"
fi
rmmod rds 2>/dev/null
if lsmod | grep -q '^rds '; then
  echo "FAILED to unload RDS"
fi

# Blacklist the module
echo "install rds /bin/true" > /etc/modprobe.d/disable-rds 
echo "alias net-pf-28 off" >> /etc/modprobe.d/disable-rds

------------------

This will take effect immediately and does not require a reboot. The
blacklisting will stay persistent across reboots.
 
Please note that some clusters with Infiniband may actually use RDS.
In these cases, the only solution is to deploy a patched kernel.
In most cases, however, even clusters with Infiniband will not
actually use RDS, even though the RDS kernel module is also included
in the OFED Infiniband stack.


Recommendations
===============

Immediately apply the mitigation described above to all
user-accessible systems.

Apply vendor kernel updates when they become available.  Patches are available for
* Ubuntu
* RHEL5
* SL5
* SLC5
* CentOS5


References
==========

Rosenberg's advisory: http://www.vsecurity.com/resources/advisory/20101019-1/

Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3904

Ubuntu kernel update:
https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-October/001181.html
RHEL5 update:
https://rhn.redhat.com/errata/RHSA-2010-0792.html
SL5 update:
http://listserv.fnal.gov/scripts/wa.exe?A2=ind1010&L=scientific-linux-errata&T=0&P=2892
SLC5 update:
http://linux.web.cern.ch/linux/updates/updates-slc5.shtml#27.10.2010.shtml
CentOS5 update:
http://lists.centos.org/pipermail/centos-announce/2010-October/017121.html