The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:Advisory-SVG-CVE-2016-5195"
Jump to navigation
Jump to search
| Line 3: | Line 3: | ||
<pre> | <pre> | ||
Title: EGI SVG 'Heads up'[TLP:WHITE ] 'CRITICAL' Risk CVE-2016-5195 Linux kernel privilege escalation [EGI-SVG-CVE-2016-5195] | Title: EGI SVG 'Heads up'[TLP:WHITE ] 'CRITICAL' Risk CVE-2016-5195 | ||
Linux kernel privilege escalation [EGI-SVG-CVE-2016-5195] | |||
Date: 2016-10-20 | Date: 2016-10-20 | ||
Updated: | Updated: 2016-10-23 (Wiki only - further updates expected on 24th) | ||
Affected software and risk | Affected software and risk | ||
| Line 21: | Line 22: | ||
At present this is a 'Heads up'. However sites running an OS where patches are available should urgently | At present this is a 'Heads up'. However sites running an OS where patches are available should urgently | ||
install the new version. (Currently Debian and Ubuntu.) | install the new version. (Currently Debian and Ubuntu.) | ||
**UPDATE 23rd October 2016** | |||
============================ | |||
The CVE-2016-5195 vulnerability is a critical bug in the Linux kernel that | |||
allows a normal user to get administrator rights. | |||
Since the vulnerability was publicly announced last week, various exploits have | |||
emerged, which are public and easy to use, making the vulnerability easy to | |||
abuse. Unlike original reports, some exploits were reported to work with | |||
RHEL5/6 systems. | |||
We request EGI sites to take immediate actions to remove or | |||
mitigate the vulnerability from their systems. | |||
While many mainstream Linux distributions have provided proper security | |||
updates, at the time of writing there is no update from RedHat providing a fix | |||
for the vulnerability for RH-based systems. | |||
There are, however, mitigation precautions that could be used. The RedHat | |||
announcement recommends setting for SystemTap to protect from the exploit. Cern | |||
has built a package providing the mitigation, which can be found at | |||
http://linuxsoft.cern.ch/cern/slc6X/updates/testing/x86_64/RPMS/cve_2016_5195-0.3- | |||
1.slc6.x86_64.rpm | |||
http://linuxsoft.cern.ch/cern/centos/7/cern-testing/x86_64/Packages/cve_2016_5195- | |||
0.3-1.el7.cern.x86_64.rpm | |||
Details can be found at | |||
https://gitlab.cern.ch/ComputerSecurity/cve_2016_5195 | |||
Another possibility is to block the system calls via which the vulnerability is | |||
exploited. CESNET provided an implementation of the module at | |||
https://github.com/bodik/dirtyc0w/tree/master/nomadvise | |||
For sites running a recent (642 series) version of *CentOS* 6 - they could try the | |||
package built by Nikhef on a CentOS 6 host and minimally tested on some worker nodes | |||
in the Nikhef preprod: | |||
https://software.nikhef.nl/experimental/cve_2016_5195/ | |||
If you cannot update any technical mitigation, we advise you to consider to | |||
declare a downtime for your site and disable user access to your systems. | |||
Actions required/recommended | Actions required/recommended | ||
============================ | ============================ | ||
**THIS IS EDPECTED TO BE UPDATED AROUND MIDDAY ON 24th October 2016** | |||
Sites running an OS where patches are available (currently Debian and Ubuntu) are advised to install the | Sites running an OS where patches are available (currently Debian and Ubuntu) are advised to install the | ||
| Line 34: | Line 86: | ||
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. | Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. | ||
Revision as of 13:47, 23 October 2016
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-CVE-2016-5195
Title: EGI SVG 'Heads up'[TLP:WHITE ] 'CRITICAL' Risk CVE-2016-5195
Linux kernel privilege escalation [EGI-SVG-CVE-2016-5195]
Date: 2016-10-20
Updated: 2016-10-23 (Wiki only - further updates expected on 24th)
Affected software and risk
==========================
CRITICAL risk vulnerability concerning Linux kernel
Package : Linux Kernel
CVE ID : CVE-2016-5195
A kernel vulnerability has been found concerning a race condition allowing an unprivileged local user
to gain write access to otherwise read only mappings and increase their privilege in the system.
At present this is a 'Heads up'. However sites running an OS where patches are available should urgently
install the new version. (Currently Debian and Ubuntu.)
**UPDATE 23rd October 2016**
============================
The CVE-2016-5195 vulnerability is a critical bug in the Linux kernel that
allows a normal user to get administrator rights.
Since the vulnerability was publicly announced last week, various exploits have
emerged, which are public and easy to use, making the vulnerability easy to
abuse. Unlike original reports, some exploits were reported to work with
RHEL5/6 systems.
We request EGI sites to take immediate actions to remove or
mitigate the vulnerability from their systems.
While many mainstream Linux distributions have provided proper security
updates, at the time of writing there is no update from RedHat providing a fix
for the vulnerability for RH-based systems.
There are, however, mitigation precautions that could be used. The RedHat
announcement recommends setting for SystemTap to protect from the exploit. Cern
has built a package providing the mitigation, which can be found at
http://linuxsoft.cern.ch/cern/slc6X/updates/testing/x86_64/RPMS/cve_2016_5195-0.3-
1.slc6.x86_64.rpm
http://linuxsoft.cern.ch/cern/centos/7/cern-testing/x86_64/Packages/cve_2016_5195-
0.3-1.el7.cern.x86_64.rpm
Details can be found at
https://gitlab.cern.ch/ComputerSecurity/cve_2016_5195
Another possibility is to block the system calls via which the vulnerability is
exploited. CESNET provided an implementation of the module at
https://github.com/bodik/dirtyc0w/tree/master/nomadvise
For sites running a recent (642 series) version of *CentOS* 6 - they could try the
package built by Nikhef on a CentOS 6 host and minimally tested on some worker nodes
in the Nikhef preprod:
https://software.nikhef.nl/experimental/cve_2016_5195/
If you cannot update any technical mitigation, we advise you to consider to
declare a downtime for your site and disable user access to your systems.
Actions required/recommended
============================
**THIS IS EDPECTED TO BE UPDATED AROUND MIDDAY ON 24th October 2016**
Sites running an OS where patches are available (currently Debian and Ubuntu) are advised to install the
new version within the next 7 days. Machines allowing unprivileged user access, such as Grid Worker Nodes,
should be prioritised. At this stage a rolling update and reboot is recommended as sufficient.
Other sites, running an OS where patches are not available yet should prepare the update, which they will
be required to apply within 7 days when new version will be available. Sites are also encouraged to investigate
workarounds (e.g. systemtap) for systems with direct unprivileged user access, such as User Interfaces.
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension.
Affected software details
=========================
See relevant OS providers.
More information
================
More information is available from RedHat [R 1]
This advisory will be updated when patches become available for more different
operating systems.
Component installation information
==================================
Sites running Debian should see [R 2]
Sites running Ubuntu should see [R 3]
Sites running RedHat should see [R 4] (patch not available at time of writing)
Sites running Scientific Linux (SL) should see [R 5] (patch not available at time of writing)
TLP and URL
===========
** WHITE information - Unlimited distribution - see
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions***
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-5195
Minor updates may be made without re-distribution to the sites
Credit
======
SVG was alerted to this vulnerability by Daniel Kouril who is a member of SVG
References
==========
[R 1] https://bugzilla.redhat.com/show_bug.cgi?id=1384344
[R 2] https://security-tracker.debian.org/tracker/CVE-2016-5195
[R 3] http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html
[R 4] https://access.redhat.com/security/cve/CVE-2016-5195
[R 5] https://www.scientificlinux.org/
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look.
Timeline
========
Yyyy-mm-dd [EGI-SVG-CVE-2016-5195]
2016-10-20 SVG alerted to this issue by Daniel Kouril
2016-10-20 Investigation of vulnerability and relevance to EGI carried out
2016-10-20 EGI SVG Risk Assessment completed
2016-10-20 IRTF/SVG agreed to issue an urgent heads up.
2016-10-20 'Heads up' sent to sites
On behalf of the EGI SVG,