Difference between revisions of "EGI CSIRT:Alerts/tipc-2011-01-07"
Jump to navigation
Jump to search
imported>Ctria (Created page with '<pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT AD…') |
(Created page with '<pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT AD…') |
(No difference)
|
Latest revision as of 17:04, 7 January 2011
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT ADVISORY [EGI-ADV-20110701] Title: High Risk Vulnerability CVE-2010-3859 kernel: heap overflow in tipc_msg_build() [EGI-ADV-20110701] Date: January 07, 2011 Last update: January 07, 2011 URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/tipc-2011-01-07 Introduction ============ A problem in the TIPC module has been detected, with the potential of giving any local user root privileges. This vulnerability has been labelled CVE-2010-3859. This vulnerability affects RHEL5 and its derivatives. No public exploit for this issue is currently known, but the EGI CSIRT considers this to be a high risk vulnerability. Kernel update from Linux venders are available. Please note, the patched kernel (kernel-2.6.18-194.32.1.el5) also addressed CVE-2010-3865 (RDS module vulnerability) Details ======= The tipc_msg_build() function in net/tipc/msg.c contains an exploitable kernel heap overflow that would allow a local user to escalate privileges to root by issuing maliciously crafted sendmsg() calls via TIPC sockets. This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 6 and Red Hat Enterprise MRG as they did not include support for Transparent Inter-Process Communication Protocol (TIPC). This flaw has been addressed by the following kernel version which EGI CSIRT strongly recommends to be deployed: kernel-2.6.18-194.32.1.el5 (or later) After upgrading (and rebooting) to the new kernel, it is still recommended to blacklist the unused kernel module (tipc). For sites that aren't able to update their kernel please check the mitigation that follows in to blacklist the module. Mitigation ========== Most systems do not utilize TIPC and can simply block the vulnerability by blacklisting the TIPC module (after unloading it if it is present), for instance by running this script: ------------------ #!/bin/sh # Unload the module if lsmod | grep -q '^tipc '; then echo "TIPC was loaded" fi rmmod tipc 2>/dev/null if lsmod | grep -q '^tipc '; then echo "FAILED to unload TIPC" fi # Blacklist the module echo "blacklist tipc" >> /etc/modprobe.d/blacklist ------------------ This will take effect immediately and does NOT require a reboot. The blacklisting will stay persistent across reboots. Please note that if you indeed use the TIPC module the only solution is to deploy a patched kernel. Recommendations =============== Linux vendors have released patched kernel. Please apply vendor kernel update as soon as possible. Under exceptional circumstance, if you can not update the kernel, please immediately apply the mitigation described above to all user-accessible systems. It is recommended to keep this module blacklisted if not needed at your site, even after updating the kernel. References ========== https://bugzilla.redhat.com/show_bug.cgi?id=645867 https://www.redhat.com/security/data/cve/CVE-2010-3859.html https://rhn.redhat.com/errata/RHSA-2011-0004.html http://listserv.fnal.gov/scripts/wa.exe?A2=ind1101&L=scientific-linux-errata&T=0&P=78 http://www.openwall.com/lists/oss-security/2010/10/22/2 http://marc.info/?l=linux-netdev&m=128770476511716&w=2