Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:Advisory-SVG-CVE-2016-5195"

From EGIWiki
Jump to navigation Jump to search
Line 7: Line 7:


Date:        2016-10-20
Date:        2016-10-20
Updated:    2016-10-23 (Wiki only - further updates expected on 24th)
Updated:    2016-10-23 (Wiki only) 2016-10-24


Affected software and risk
Affected software and risk
Line 20: Line 20:
to gain write access to otherwise read only mappings and increase their privilege in the system.  
to gain write access to otherwise read only mappings and increase their privilege in the system.  


At present this is a 'Heads up'.  However sites running an OS where patches are available should urgently
** UPDATE 24th October 2016 **
install the new version. (Currently Debian and Ubuntu.)
 
 
**UPDATE 23rd October 2016**  
============================
============================


The CVE-2016-5195 vulnerability is a critical bug in the Linux kernel that
Since the vulnerability was publicly announced last week, publicly available exploits have emerged and are trivial to use to gain root on the affected systems. Unlike the initial exploit, some exploits were reported to work with RHEL5/6 systems (using
allows a normal user to get administrator rights.
'PTRACE_POKEDATA') see [R 6].
 
Since the vulnerability was publicly announced last week, various exploits have
emerged, which are public and easy to use, making the vulnerability easy to
abuse. Unlike original reports, some exploits were reported to work with
RHEL5/6 systems.
 
We request EGI sites to take immediate actions to remove or
mitigate the vulnerability from their systems.
 
While many mainstream Linux distributions have provided proper security
updates, at the time of writing there is no update from RedHat providing a fix
for the vulnerability for RH-based systems.
 
There are, however, mitigation precautions that could be used. The RedHat
announcement recommends setting for SystemTap to protect from the exploit. Cern
has built a package providing the mitigation, which can be found at
 
http://linuxsoft.cern.ch/cern/slc6X/updates/testing/x86_64/RPMS/cve_2016_5195-0.3-
 
1.slc6.x86_64.rpm
http://linuxsoft.cern.ch/cern/centos/7/cern-testing/x86_64/Packages/cve_2016_5195-
 
0.3-1.el7.cern.x86_64.rpm
 
Details can be found at
https://gitlab.cern.ch/ComputerSecurity/cve_2016_5195


Another possibility is to block the system calls via which the vulnerability is
At the time of writing, there is still no official update from RedHat.
exploited. CESNET provided an implementation of the module at
https://github.com/bodik/dirtyc0w/tree/master/nomadvise


For sites running a recent (642 series) version of *CentOS* 6 - they could try the
As a result, we urge EGI sites to take immediate actions to mitigate the vulnerability from their systems or to declare a downtime (for details see below) and close any public interfaces used by VOs or users.
 
Such downtime will not be counted for the availability of your site until 3 working days after a patch is released and an advisory update is circulated.
package built by Nikhef on a CentOS 6 host and minimally tested on some worker nodes
 
in the Nikhef preprod:
 
  https://software.nikhef.nl/experimental/cve_2016_5195/
 
 
If you cannot update any technical mitigation, we advise you to consider to
declare a downtime for your site and disable user access to your systems.


Actions required/recommended
Actions required/recommended
============================
============================


**THIS IS EDPECTED TO BE UPDATED AROUND MIDDAY ON 24th October 2016**
Sites running an OS where patches are available (currently Debian and
Ubuntu) are required to install the new version. Machines allowing unprivileged user access, such as Grid Worker Nodes, should be prioritised.
 
Sites running an OS where patches are not available are required to deploy a mitigation or to declare a downtime in GOC-DB with the words 'EGI-SVG-CVE-2016-5195, vulnerability handling in progress' and close their site until a patch or mitigation is deployed. Machines allowing unprivileged user access, such as Grid Worker Nodes or User Interfaces, should be prioritised.


Sites running an OS where patches are available (currently Debian and Ubuntu) are advised to install the
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team before 2016-10-27T15:00:00Z risk site suspension.
new version within the next 7 days. Machines allowing unprivileged user access, such as Grid Worker Nodes,
should be prioritised. At this stage a rolling update and reboot is recommended as sufficient.


Other sites, running an OS where patches are not available yet should prepare the update, which they will
Known Mitigations
be required to apply within 7 days when new version will be available. Sites are also encouraged to investigate
=================
workarounds (e.g. systemtap) for systems with direct unprivileged user access, such as User Interfaces.


Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension.
The following mitigations are known to work on RedHat-based distributions:


- A system-tap module that disable /proc/self/mem and ptrace, the official RedHat mitigation,
https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13 (no reboot needed). Please note that this compltely disable GDB:
* If you use Centos 7 or Scientific Linux CERN 6, CERN is providing pre-compiled modules:
https://cern.service-now.com/service-portal/view-outage.do?n=OTG0033700
* If you use Centos 6, Nikhef is providing a pre-compiled module:
https://software.nikhef.nl/experimental/cve_2016_5195/
* If you are using Scientific Linux 6 or other flavor, there is currently no known pre-compiled module, you can compile some yourself.
Examples available here:
https://gitlab.cern.ch/ComputerSecurity/cve_2016_5195/tree/master


- A kernel module that disable the 'madvise' system call, the main component of the vulnerability exploit. CESNET provides an implementation of the module at https://github.com/bodik/dirtyc0w/tree/master/nomadvise (no reboot needed)


- The upstream patch has been ported to the Centos 6 kernel, resulting in a non vulnerable kernel: http://rep.grid.kiae.ru/pub/cve-2016-5195/


Affected software details
Affected software details
=========================
=========================


See relevant OS providers.
All Linux distributions, see relevant OS providers.


More information
More information
Line 100: Line 70:
More information is available from RedHat [R 1]
More information is available from RedHat [R 1]


This advisory will be updated when patches become available for more different  
This advisory will be updated when patches become available for more different operating systems.
 
operating systems.


Component installation information
Component installation information
==================================
==================================


Sites running Debian should see [R 2]  
Sites running Debian should see [R 2]


Sites running Ubuntu should see [R 3]
Sites running Ubuntu should see [R 3]


Sites running RedHat should see [R 4] (patch not available at time of writing)
Sites running RedHat should see [R 4] (patch not available at time of
writing)


Sites running Scientific Linux (SL) should see [R 5] (patch not available at time of writing)
Sites running Scientific Linux (SL) should see [R 5] (patch not available at time of writing)


TLP and URL
TLP and URL
===========
===========


** WHITE information - Unlimited distribution - see  
** WHITE information - Unlimited distribution - see


https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions***  
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions***
           
URL:  https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-5195   


Minor updates may be made without re-distribution to the sites
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-5195
 
Minor updates may be made without re-distribution to the sites, major updates will be sent by mail. Sites are encouraged to check this URL frequently until the situation is resolved.


Credit
Credit
======
======


SVG was alerted to this vulnerability by Daniel Kouril who is a member of SVG
SVG was alerted to this vulnerability by Daniel Kouril


References
References
Line 139: Line 107:
[R 2] https://security-tracker.debian.org/tracker/CVE-2016-5195
[R 2] https://security-tracker.debian.org/tracker/CVE-2016-5195


[R 3] http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html
[R 3]
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html


[R 4] https://access.redhat.com/security/cve/CVE-2016-5195
[R 4] https://access.redhat.com/security/cve/CVE-2016-5195


[R 5] https://www.scientificlinux.org/
[R 5] https://www.scientificlinux.org/
[R 6] https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs


Comments
Comments
========
========


Comments or questions should be sent to svg-rat at mailman.egi.eu
Comments or questions should be sent to svg-rat at mailman.egi.eu


If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to
If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu. The EGI Software Vulnerability Group will take a look.


report-vulnerability at egi.eu
Timeline
the EGI Software Vulnerability Group will take a look. 
 
Timeline
========
========
Yyyy-mm-dd [EGI-SVG-CVE-2016-5195]  
Yyyy-mm-dd [EGI-SVG-CVE-2016-5195]


2016-10-20 SVG alerted to this issue by Daniel Kouril  
2016-10-20 SVG alerted to this issue by Daniel Kouril
2016-10-20 Investigation of vulnerability and relevance to EGI carried out
2016-10-20 Investigation of vulnerability and relevance to EGI
2016-10-20 EGI SVG Risk Assessment completed
2016-10-20 EGI SVG Risk Assessment completed
2016-10-20 IRTF/SVG agreed to issue an urgent heads up.
2016-10-20 IRTF/SVG agreed to issue an urgent heads up.
2016-10-20 'Heads up' sent to sites
2016-10-20 'Heads up' sent to sites
 
2016-10-24 Update sent to sites, clarifying actions
On behalf of the EGI SVG,
 




</pre>
</pre>

Revision as of 12:41, 24 October 2016

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-CVE-2016-5195



Title:       EGI SVG 'Heads up'[TLP:WHITE ] 'CRITICAL' Risk CVE-2016-5195 
             Linux kernel privilege escalation [EGI-SVG-CVE-2016-5195] 

Date:        2016-10-20
Updated:     2016-10-23 (Wiki only) 2016-10-24 

Affected software and risk
==========================

CRITICAL risk vulnerability concerning Linux kernel

Package : Linux Kernel
CVE ID  : CVE-2016-5195

A kernel vulnerability has been found concerning a race condition allowing an unprivileged local user 
to gain write access to otherwise read only mappings and increase their privilege in the system. 

** UPDATE 24th October 2016 **
============================

Since the vulnerability was publicly announced last week, publicly available exploits have emerged and are trivial to use to gain root on the affected systems. Unlike the initial exploit, some exploits were reported to work with RHEL5/6 systems (using
'PTRACE_POKEDATA') see [R 6].

At the time of writing, there is still no official update from RedHat.

As a result, we urge EGI sites to take immediate actions to mitigate the vulnerability from their systems or to declare a downtime (for details see below) and close any public interfaces used by VOs or users.
Such downtime will not be counted for the availability of your site until 3 working days after a patch is released and an advisory update is circulated.

Actions required/recommended
============================

Sites running an OS where patches are available (currently Debian and
Ubuntu) are required to install the new version. Machines allowing unprivileged user access, such as Grid Worker Nodes, should be prioritised.

Sites running an OS where patches are not available are required to deploy a mitigation or to declare a downtime in GOC-DB with the words 'EGI-SVG-CVE-2016-5195, vulnerability handling in progress' and close their site until a patch or mitigation is deployed. Machines allowing unprivileged user access, such as Grid Worker Nodes or User Interfaces, should be prioritised.

Sites failing to act and/or failing to respond to requests from the EGI CSIRT team before 2016-10-27T15:00:00Z risk site suspension.

Known Mitigations
=================

The following mitigations are known to work on RedHat-based distributions:

- A system-tap module that disable /proc/self/mem and ptrace, the official RedHat mitigation,
https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13 (no reboot needed). Please note that this compltely disable GDB:
* If you use Centos 7 or Scientific Linux CERN 6, CERN is providing pre-compiled modules:
https://cern.service-now.com/service-portal/view-outage.do?n=OTG0033700
* If you use Centos 6, Nikhef is providing a pre-compiled module:
https://software.nikhef.nl/experimental/cve_2016_5195/
* If you are using Scientific Linux 6 or other flavor, there is currently no known pre-compiled module, you can compile some yourself.
Examples available here:
https://gitlab.cern.ch/ComputerSecurity/cve_2016_5195/tree/master

- A kernel module that disable the 'madvise' system call, the main component of the vulnerability exploit. CESNET provides an implementation of the module at https://github.com/bodik/dirtyc0w/tree/master/nomadvise (no reboot needed)

- The upstream patch has been ported to the Centos 6 kernel, resulting in a non vulnerable kernel: http://rep.grid.kiae.ru/pub/cve-2016-5195/

Affected software details
=========================

All Linux distributions, see relevant OS providers.

More information
================

More information is available from RedHat [R 1]

This advisory will be updated when patches become available for more different operating systems.

Component installation information
==================================

Sites running Debian should see [R 2]

Sites running Ubuntu should see [R 3]

Sites running RedHat should see [R 4] (patch not available at time of
writing)

Sites running Scientific Linux (SL) should see [R 5] (patch not available at time of writing)

TLP and URL
===========

** WHITE information - Unlimited distribution - see

https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions***

URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-5195

Minor updates may be made without re-distribution to the sites, major updates will be sent by mail. Sites are encouraged to check this URL frequently until the situation is resolved.

Credit
======

SVG was alerted to this vulnerability by Daniel Kouril

References
==========

[R 1] https://bugzilla.redhat.com/show_bug.cgi?id=1384344

[R 2] https://security-tracker.debian.org/tracker/CVE-2016-5195

[R 3]
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html

[R 4] https://access.redhat.com/security/cve/CVE-2016-5195

[R 5] https://www.scientificlinux.org/

[R 6] https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs

Comments
========

Comments or questions should be sent to svg-rat at mailman.egi.eu

If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu. The EGI Software Vulnerability Group will take a look.

Timeline
========
Yyyy-mm-dd [EGI-SVG-CVE-2016-5195]

2016-10-20 SVG alerted to this issue by Daniel Kouril
2016-10-20 Investigation of vulnerability and relevance to EGI
2016-10-20 EGI SVG Risk Assessment completed
2016-10-20 IRTF/SVG agreed to issue an urgent heads up.
2016-10-20 'Heads up' sent to sites
2016-10-24 Update sent to sites, clarifying actions
Retrieved from "https://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2016-5195&oldid=91147"