Difference between revisions of "EGI CSIRT:Alerts/rds-rdma-2010-11-02"
Jump to navigation
Jump to search
Line 1: | Line 1: | ||
<pre> | <pre> | ||
** WHITE information - Unlimited distribution allowed | ** WHITE information - Unlimited distribution allowed ** | ||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | ||
EGI CSIRT ADVISORY [EGI-ADV-20101102] | EGI CSIRT ADVISORY [EGI-ADV-20101102] | ||
Title: | Title: High Risk Vulnerability CVE-2010-3865 kernel: integer overflow rds | ||
Date: November | [EGI-ADV-20101102] | ||
Last update: November | Date: November 03, 2010 | ||
Last update: November 03, 2010 | |||
URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-rdma-2010-11-02 | URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-rdma-2010-11-02 | ||
Introduction | Introduction | ||
============ | ============ | ||
Another problem in the rds module has been detected, with the | |||
potential of giving any local user root privileges. This vulnerability | |||
has been labelled CVE-2010-3865. | |||
This is a separate issue from the recent CVE-2010-3904 vulnerability | |||
in rds, and the kernel update fixing CVE-2010-3904 does not fix | |||
CVE-2010-3865. | |||
This vulnerability affects RHEL5 and its derivatives, and any system | |||
that has installed the third-party OFED stack for Infiniband | |||
communication. | |||
No public exploit for this issue is currently known, but the EGI CSIRT | |||
considers this to be a high risk vulnerability. | |||
Details | Details | ||
======= | ======= | ||
As reported by Thomas Pollet, when doing rdma I/O, the rds module's | |||
page counter can overflow, since the total number of pages may not fit | |||
in an unsigned int. | |||
It may be possible to exploit this issue to get unauthorized access to | |||
kernel memory, which in turn can be used to get elevated privileges. | |||
Mitigation | Mitigation | ||
========== | ========== | ||
Most systems do not utilize RDS and can simply block the vulnerability | Most systems do not utilize RDS and can simply block the vulnerability | ||
by blacklisting the RDS module (after unloading it if it is present), | by blacklisting the RDS module (after unloading it if it is present), | ||
Line 62: | Line 65: | ||
# Blacklist the module | # Blacklist the module | ||
echo "install rds /bin/true" > /etc/modprobe.d/disable-rds | echo "install rds /bin/true" > /etc/modprobe.d/disable-rds | ||
echo "alias net-pf-28 off" >> /etc/modprobe.d/disable-rds" | |||
echo "alias net-pf-28 off" > /etc/modprobe.d/disable-rds" | |||
------------------ | ------------------ | ||
Line 82: | Line 84: | ||
Apply vendor kernel updates when they become available. | Apply vendor kernel updates when they become available. | ||
Since the rds module seems to have more problems it | Since the rds module seems to have more problems it is recommended to | ||
this module blacklisted if not needed at your site. | keep this module blacklisted if not needed at your site, even after | ||
updating the kernel. | |||
Line 94: | Line 97: | ||
http://www.spinics.net/lists/netdev/msg145359.html | http://www.spinics.net/lists/netdev/msg145359.html | ||
http://www.spinics.net/lists/netdev/msg145397.html | http://www.spinics.net/lists/netdev/msg145397.html | ||
</pre> | </pre> |
Latest revision as of 16:45, 3 November 2010
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT ADVISORY [EGI-ADV-20101102] Title: High Risk Vulnerability CVE-2010-3865 kernel: integer overflow rds [EGI-ADV-20101102] Date: November 03, 2010 Last update: November 03, 2010 URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-rdma-2010-11-02 Introduction ============ Another problem in the rds module has been detected, with the potential of giving any local user root privileges. This vulnerability has been labelled CVE-2010-3865. This is a separate issue from the recent CVE-2010-3904 vulnerability in rds, and the kernel update fixing CVE-2010-3904 does not fix CVE-2010-3865. This vulnerability affects RHEL5 and its derivatives, and any system that has installed the third-party OFED stack for Infiniband communication. No public exploit for this issue is currently known, but the EGI CSIRT considers this to be a high risk vulnerability. Details ======= As reported by Thomas Pollet, when doing rdma I/O, the rds module's page counter can overflow, since the total number of pages may not fit in an unsigned int. It may be possible to exploit this issue to get unauthorized access to kernel memory, which in turn can be used to get elevated privileges. Mitigation ========== Most systems do not utilize RDS and can simply block the vulnerability by blacklisting the RDS module (after unloading it if it is present), for instance by running this script: ------------------ #!/bin/sh # Unload the module if lsmod | grep -q '^rds '; then echo "RDS was loaded" fi rmmod rds 2>/dev/null if lsmod | grep -q '^rds '; then echo "FAILED to unload RDS" fi # Blacklist the module echo "install rds /bin/true" > /etc/modprobe.d/disable-rds echo "alias net-pf-28 off" >> /etc/modprobe.d/disable-rds" ------------------ This will take effect immediately and does not require a reboot. The blacklisting will stay persistent across reboots. Please note that some clusters with Infiniband may actually use RDS. In these cases, the only solution is to deploy a patched kernel. Recommendations =============== Immediately apply the mitigation described above to all user-accessible systems. Apply vendor kernel updates when they become available. Since the rds module seems to have more problems it is recommended to keep this module blacklisted if not needed at your site, even after updating the kernel. References ========== https://bugzilla.redhat.com/show_bug.cgi?id=647416 https://www.redhat.com/security/data/cve/CVE-2010-3865.html For discussions on the details of the bug resulting in a buffer overflow: http://www.spinics.net/lists/netdev/msg145359.html http://www.spinics.net/lists/netdev/msg145397.html