Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "EGI CSIRT:Alerts/rds-rdma-2010-11-02"

From EGIWiki
Jump to navigation Jump to search
 
Line 1: Line 1:
'''========== DRAFT ==========='''
<pre>
<pre>
** WHITE information - Unlimited distribution allowed                         **
** WHITE information - Unlimited distribution allowed                       **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
   
   
EGI CSIRT ADVISORY [EGI-ADV-20101102]
EGI CSIRT ADVISORY [EGI-ADV-20101102]
   
   
Title:      IMPORTANT Vulnerability CVE-2010-3865 kernel: iovec integer overflow in net/rds/rdma.c [EGI-ADV-20101102]
Title:      High Risk Vulnerability CVE-2010-3865 kernel: integer overflow rds   
Date:        November 01, 2010
[EGI-ADV-20101102]
Last update: November 01, 2010
Date:        November 03, 2010
Last update: November 03, 2010
URL:        https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-rdma-2010-11-02
URL:        https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-rdma-2010-11-02


Introduction
Introduction
============
============
Another problem in the RDS-Module is detected:
https://bugzilla.redhat.com/show_bug.cgi?id=647416
it looks like they think it might even be possible to remotely exploit
this over an Infiniband network ("Access Vector: Adjacent"). But,
presumably, for this to be exploitable *over the network*, the victim
host would have to listen on an RDS socket, which should be very rare.
But locally it's probably exploitable on any machine.


Note that the kernel update fixing CVE-2010-3904 does *not* fix CVE-2010-3865.
Another problem in the rds module has been detected, with the
potential of giving any local user root privileges. This vulnerability
has been labelled CVE-2010-3865.
 
This is a separate issue from the recent CVE-2010-3904 vulnerability
in rds, and the kernel update fixing CVE-2010-3904 does not fix
CVE-2010-3865.
 
This vulnerability affects RHEL5 and its derivatives, and any system
that has installed the third-party OFED stack for Infiniband
communication.
 
No public exploit for this issue is currently known, but the EGI CSIRT
considers this to be a high risk vulnerability.


The EGI CSIRT considers this to be a IMPORTANT vulnerability, since - at our knowledge, currently- no public exploit is available.
This might change soon.


Details
Details
=======
=======
As reported by Thomas Pollet, the rdma page counting can overflow.  We get the
rdma sizes in 64-bit unsigned entities, but then limit it to UINT_MAX bytes and
shift them down to pages (so with a possible "+1" for an unaligned address).


So each individual page count fits comfortably in an 'unsigned int' (not even
As reported by Thomas Pollet, when doing rdma I/O, the rds module's
close to overflowing into signed), but as they are added up, they might end up
page counter can overflow, since the total number of pages may not fit
resulting in a signed return value. Which would be wrong.
in an unsigned int.


Catch the case of tot_pages turning negative, and return the appropriate error
It may be possible to exploit this issue to get unauthorized access to
code.
kernel memory, which in turn can be used to get elevated privileges.




Mitigation
Mitigation
==========
==========
Most systems do not utilize RDS and can simply block the vulnerability
Most systems do not utilize RDS and can simply block the vulnerability
by blacklisting the RDS module (after unloading it if it is present),
by blacklisting the RDS module (after unloading it if it is present),
Line 62: Line 65:
# Blacklist the module
# Blacklist the module
echo "install rds /bin/true" > /etc/modprobe.d/disable-rds  
echo "install rds /bin/true" > /etc/modprobe.d/disable-rds  
 
echo "alias net-pf-28 off" >> /etc/modprobe.d/disable-rds"
echo "alias net-pf-28 off" > /etc/modprobe.d/disable-rds"


------------------
------------------
Line 82: Line 84:
Apply vendor kernel updates when they become available.
Apply vendor kernel updates when they become available.


Since the rds module seems to have more problems it would be safer to keep
Since the rds module seems to have more problems it is recommended to
this module blacklisted if not needed at your site.
keep this module blacklisted if not needed at your site, even after
updating the kernel.




Line 94: Line 97:
http://www.spinics.net/lists/netdev/msg145359.html
http://www.spinics.net/lists/netdev/msg145359.html
http://www.spinics.net/lists/netdev/msg145397.html
http://www.spinics.net/lists/netdev/msg145397.html


</pre>
</pre>

Latest revision as of 16:45, 3 November 2010

** WHITE information - Unlimited distribution allowed                       **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
 
EGI CSIRT ADVISORY [EGI-ADV-20101102]
 
Title:       High Risk Vulnerability CVE-2010-3865 kernel: integer overflow rds  
[EGI-ADV-20101102]
Date:        November 03, 2010
Last update: November 03, 2010
URL:         https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-rdma-2010-11-02


Introduction
============

Another problem in the rds module has been detected, with the
potential of giving any local user root privileges. This vulnerability
has been labelled CVE-2010-3865.

This is a separate issue from the recent CVE-2010-3904 vulnerability
in rds, and the kernel update fixing CVE-2010-3904 does not fix
CVE-2010-3865.

This vulnerability affects RHEL5 and its derivatives, and any system
that has installed the third-party OFED stack for Infiniband
communication.

No public exploit for this issue is currently known, but the EGI CSIRT
considers this to be a high risk vulnerability.


Details
=======

As reported by Thomas Pollet, when doing rdma I/O, the rds module's
page counter can overflow, since the total number of pages may not fit
in an unsigned int.

It may be possible to exploit this issue to get unauthorized access to
kernel memory, which in turn can be used to get elevated privileges.


Mitigation
==========

Most systems do not utilize RDS and can simply block the vulnerability
by blacklisting the RDS module (after unloading it if it is present),
for instance by running this script:

------------------

#!/bin/sh

# Unload the module

if lsmod | grep -q '^rds '; then
  echo "RDS was loaded"
fi
rmmod rds 2>/dev/null
if lsmod | grep -q '^rds '; then
  echo "FAILED to unload RDS"
fi

# Blacklist the module
echo "install rds /bin/true" > /etc/modprobe.d/disable-rds 
echo "alias net-pf-28 off" >> /etc/modprobe.d/disable-rds"

------------------

This will take effect immediately and does not require a reboot. The
blacklisting will stay persistent across reboots.

Please note that some clusters with Infiniband may actually use RDS.
In these cases, the only solution is to deploy a patched kernel.


Recommendations
===============

Immediately apply the mitigation described above to all
user-accessible systems.

Apply vendor kernel updates when they become available.

Since the rds module seems to have more problems it is recommended to
keep this module blacklisted if not needed at your site, even after
updating the kernel.


References
==========
https://bugzilla.redhat.com/show_bug.cgi?id=647416
https://www.redhat.com/security/data/cve/CVE-2010-3865.html

For discussions on the details of the bug resulting in a buffer overflow:
http://www.spinics.net/lists/netdev/msg145359.html
http://www.spinics.net/lists/netdev/msg145397.html
Retrieved from "https://wiki.egi.eu/w/index.php?title=EGI_CSIRT:Alerts/rds-rdma-2010-11-02&oldid=5153"