The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:Advisory-SVG-CVE-2016-5195"
Jump to navigation
Jump to search
| Line 3: | Line 3: | ||
<pre> | <pre> | ||
Title: EGI SVG | Title: EGI SVG/IRTF Advisory **UPDATE** [TLP:WHITE ] 'CRITICAL' Risk CVE-2016-5195 | ||
Linux kernel privilege escalation [EGI-SVG-CVE-2016-5195] | Linux kernel privilege escalation [EGI-SVG-CVE-2016-5195] | ||
Date: 2016-10-20 | Date: 2016-10-20 | ||
Updated: 2016-10-23 (Wiki only), 2016-10-24, 2016-10-25 (wiki only) | Updated: 2016-10-23 (Wiki only), 2016-10-24, 2016-10-25 (wiki only), 2016-10-26 | ||
Affected software and risk | Affected software and risk | ||
| Line 17: | Line 17: | ||
CVE ID : CVE-2016-5195 | CVE ID : CVE-2016-5195 | ||
A kernel vulnerability has been found concerning a race condition allowing an unprivileged local user | A kernel vulnerability has been found concerning a race condition allowing an unprivileged local user to | ||
gain write access to otherwise read only mappings and increase their privilege in the system. | |||
** UPDATE | ** UPDATE 26th October 2016 ** | ||
============================== | ============================== | ||
Patches are now available for RedHat linux 7 [R 4], RedHat Linux 6 [R 8] and their derivatives. | |||
This includes Scientific Linux versions, SL7 [R 7] and SL6 [R 9] CERN Scientific Linux [R 10], | |||
CentOS 6 [R 11] and CentOS 7 [R 12]. | |||
All affected sites should now update their kernels to a non-vulnerable version (see component | |||
installation information below) and reboot the systems. This includes sites which have put | |||
mitigations in place, as these mitigations have an impact on some VO Workflows. Sites are thus | |||
highly encouraged to replace their local mitigation with the new official kernel as soon as possible. | |||
Sites which are in downtime should restore services using non-vulnerable versions. | |||
Sites which do not have updates, mitigation in place, or are in downtime by 2016-10-31 T 18:00 UTC | |||
and/or failing to respond to requests from the EGI CSIRT team risk site suspension. | |||
For sites which have gone into downtime due to CVE-2016-5195 the downtime will not be counted c | |||
onsidering availability statistics for unavailability between 2016-10-20 16:00 UTC and 2016-10-31 18:00 UTC. | |||
** UPDATE 24th October 2016 ** | ** UPDATE 24th October 2016 ** | ||
============================ | ============================== | ||
Since the vulnerability was publicly announced last week, publicly available exploits have emerged | |||
and are trivial to use to gain root on the affected systems. Unlike the initial exploit, some | |||
exploits were reported to work with RHEL5/6 systems (using 'PTRACE_POKEDATA') see [R 6]. | |||
At the time of writing, there is still no official update from RedHat. | At the time of writing, there is still no official update from RedHat. | ||
As a result, we urge EGI sites to take immediate actions to mitigate the vulnerability from their systems or to | As a result, we urge EGI sites to take immediate actions to mitigate the vulnerability from their | ||
declare a downtime (for details see below) and close any public interfaces used by VOs or users. | systems or to declare a downtime (for details see below) and close any public interfaces used by | ||
Such downtime will not be counted for the availability of your site until 3 working days after a patch is released | VOs or users. Such downtime will not be counted for the availability of your site until 3 working days | ||
after a patch is released | |||
and an advisory update is circulated. | and an advisory update is circulated. | ||
Actions required/recommended | Actions required/recommended (Previous from 24th October) | ||
============================ | ========================================================== | ||
Sites running an OS where patches are available (currently Debian and | Sites running an OS where patches are available (currently Debian and Ubuntu) are required to install | ||
Ubuntu) are required to install the new version. Machines allowing unprivileged user access, such as Grid Worker Nodes, | the new version. Machines allowing unprivileged user access, such as Grid Worker Nodes, should be prioritised. | ||
should be prioritised. | |||
Sites running an OS where patches are not available are required to deploy a mitigation or to declare a downtime in GOC-DB | Sites running an OS where patches are not available are required to deploy a mitigation or to declare | ||
with the words 'EGI-SVG-CVE-2016-5195, vulnerability handling in progress' and close their site until a patch or mitigation | a downtime in GOC-DB | ||
is deployed. Machines allowing unprivileged user access, such as Grid Worker Nodes or User Interfaces, should be prioritised. | with the words 'EGI-SVG-CVE-2016-5195, vulnerability handling in progress' and close their site until a | ||
patch or mitigation is deployed. Machines allowing unprivileged user access, such as Grid Worker Nodes or | |||
User Interfaces, should be prioritised. | |||
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team before 2016-10-27T15:00:00Z risk site suspension. | Sites failing to act and/or failing to respond to requests from the EGI CSIRT team before 2016-10-27T15:00:00Z | ||
risk site suspension. | |||
Known Mitigations | Known Mitigations | ||
| Line 84: | Line 103: | ||
This advisory will be updated when patches become available for more different operating systems. | This advisory will be updated when patches become available for more different operating systems. | ||
Component installation information | Component installation information | ||
| Line 92: | Line 112: | ||
Sites running Ubuntu should see [R 3] | Sites running Ubuntu should see [R 3] | ||
Sites running RedHat should see [R 4] ( | Sites running RedHat should see [R 4] | ||
Sites running Scientific Linux (SL) should see [R 5], [R 7], [R 9] | |||
Sites running Cern Scientific Linux (SLC) should see [R 10] | |||
Sites running CentOS should see [R 11], [R 12] | |||
Other information | |||
================= | |||
This issue has NOT been fixed for RedHat 5 and it's derivatives. | |||
If any site is still running SL5 or it's derivatives, please be reminded that you should have | |||
decommissioned SL5 by 30th April 2016. [R 13] | |||
TLP and URL | TLP and URL | ||
| Line 106: | Line 137: | ||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-5195 | URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-5195 | ||
Minor updates may be made without re-distribution to the sites | Minor updates may be made without re-distribution to the sites. | ||
Credit | Credit | ||
| Line 121: | Line 151: | ||
[R 2] https://security-tracker.debian.org/tracker/CVE-2016-5195 | [R 2] https://security-tracker.debian.org/tracker/CVE-2016-5195 | ||
[R 3] | [R 3] http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html | ||
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html | |||
[R 4] https://access.redhat.com/security/cve/CVE-2016-5195 | [R 4] https://access.redhat.com/security/cve/CVE-2016-5195 | ||
| Line 131: | Line 160: | ||
[R 7] https://www.scientificlinux.org/sl-errata/slsa-20162098-1/ | [R 7] https://www.scientificlinux.org/sl-errata/slsa-20162098-1/ | ||
[R 8] https://access.redhat.com/errata/RHSA-2016:2105 | |||
[R 9] https://www.scientificlinux.org/sl-errata/slsa-20162105-1/ | |||
[R 10] http://linux.web.cern.ch/linux/updates/updates-slc6.shtml | |||
[R 11] https://lists.centos.org/pipermail/centos-announce/2016-October/022134.html | |||
[R 12] https://lists.centos.org/pipermail/centos-announce/2016-October/022133.html | |||
[R 13] https://wiki.egi.eu/wiki/SL5_retirement | |||
Comments | Comments | ||
| Line 153: | Line 194: | ||
2016-10-20 'Heads up' sent to sites | 2016-10-20 'Heads up' sent to sites | ||
2016-10-24 Update sent to sites, clarifying actions | 2016-10-24 Update sent to sites, clarifying actions | ||
2016-10-25 | 2016-10-25 Patches for RedHat 7 and SL7 available | ||
2016-10-26 Patches for RedHat 6 and SL7 available | |||
2016-10-26 Patches for SLC 6, CentOS 6, CentOS 7 available. | |||
2016-10-26 Advisory update sent to sites. | |||
</pre> | </pre> | ||
Revision as of 15:26, 26 October 2016
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-CVE-2016-5195
Title: EGI SVG/IRTF Advisory **UPDATE** [TLP:WHITE ] 'CRITICAL' Risk CVE-2016-5195
Linux kernel privilege escalation [EGI-SVG-CVE-2016-5195]
Date: 2016-10-20
Updated: 2016-10-23 (Wiki only), 2016-10-24, 2016-10-25 (wiki only), 2016-10-26
Affected software and risk
==========================
CRITICAL risk vulnerability concerning Linux kernel
Package : Linux Kernel
CVE ID : CVE-2016-5195
A kernel vulnerability has been found concerning a race condition allowing an unprivileged local user to
gain write access to otherwise read only mappings and increase their privilege in the system.
** UPDATE 26th October 2016 **
==============================
Patches are now available for RedHat linux 7 [R 4], RedHat Linux 6 [R 8] and their derivatives.
This includes Scientific Linux versions, SL7 [R 7] and SL6 [R 9] CERN Scientific Linux [R 10],
CentOS 6 [R 11] and CentOS 7 [R 12].
All affected sites should now update their kernels to a non-vulnerable version (see component
installation information below) and reboot the systems. This includes sites which have put
mitigations in place, as these mitigations have an impact on some VO Workflows. Sites are thus
highly encouraged to replace their local mitigation with the new official kernel as soon as possible.
Sites which are in downtime should restore services using non-vulnerable versions.
Sites which do not have updates, mitigation in place, or are in downtime by 2016-10-31 T 18:00 UTC
and/or failing to respond to requests from the EGI CSIRT team risk site suspension.
For sites which have gone into downtime due to CVE-2016-5195 the downtime will not be counted c
onsidering availability statistics for unavailability between 2016-10-20 16:00 UTC and 2016-10-31 18:00 UTC.
** UPDATE 24th October 2016 **
==============================
Since the vulnerability was publicly announced last week, publicly available exploits have emerged
and are trivial to use to gain root on the affected systems. Unlike the initial exploit, some
exploits were reported to work with RHEL5/6 systems (using 'PTRACE_POKEDATA') see [R 6].
At the time of writing, there is still no official update from RedHat.
As a result, we urge EGI sites to take immediate actions to mitigate the vulnerability from their
systems or to declare a downtime (for details see below) and close any public interfaces used by
VOs or users. Such downtime will not be counted for the availability of your site until 3 working days
after a patch is released
and an advisory update is circulated.
Actions required/recommended (Previous from 24th October)
==========================================================
Sites running an OS where patches are available (currently Debian and Ubuntu) are required to install
the new version. Machines allowing unprivileged user access, such as Grid Worker Nodes, should be prioritised.
Sites running an OS where patches are not available are required to deploy a mitigation or to declare
a downtime in GOC-DB
with the words 'EGI-SVG-CVE-2016-5195, vulnerability handling in progress' and close their site until a
patch or mitigation is deployed. Machines allowing unprivileged user access, such as Grid Worker Nodes or
User Interfaces, should be prioritised.
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team before 2016-10-27T15:00:00Z
risk site suspension.
Known Mitigations
=================
The following mitigations are known to work on RedHat-based distributions:
- A system-tap module that disable /proc/self/mem and ptrace, the official RedHat mitigation,
https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13 (no reboot needed). Please note that this compltely disable GDB:
* If you use Centos 7 or Scientific Linux CERN 6, CERN is providing pre-compiled modules:
https://cern.service-now.com/service-portal/view-outage.do?n=OTG0033700
* If you use Centos 6, Nikhef is providing a pre-compiled module:
https://software.nikhef.nl/experimental/cve_2016_5195/
* If you are using Scientific Linux 6 or other flavor, there is currently no known pre-compiled module, you can compile some yourself.
Examples available here:
https://gitlab.cern.ch/ComputerSecurity/cve_2016_5195/tree/master
- A kernel module that disable the 'madvise' system call, the main component of the vulnerability exploit.
CESNET provides an implementation of the module at https://github.com/bodik/dirtyc0w/tree/master/nomadvise (no reboot needed)
- The upstream patch has been ported to the Centos 6 kernel, resulting in a non vulnerable kernel: http://rep.grid.kiae.ru/pub/cve-2016-5195/
Affected software details
=========================
All Linux distributions, see relevant OS providers.
More information
================
More information is available from RedHat [R 1]
This advisory will be updated when patches become available for more different operating systems.
Component installation information
==================================
Sites running Debian should see [R 2]
Sites running Ubuntu should see [R 3]
Sites running RedHat should see [R 4]
Sites running Scientific Linux (SL) should see [R 5], [R 7], [R 9]
Sites running Cern Scientific Linux (SLC) should see [R 10]
Sites running CentOS should see [R 11], [R 12]
Other information
=================
This issue has NOT been fixed for RedHat 5 and it's derivatives.
If any site is still running SL5 or it's derivatives, please be reminded that you should have
decommissioned SL5 by 30th April 2016. [R 13]
TLP and URL
===========
** WHITE information - Unlimited distribution - see
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions***
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-5195
Minor updates may be made without re-distribution to the sites.
Credit
======
SVG was alerted to this vulnerability by Daniel Kouril
References
==========
[R 1] https://bugzilla.redhat.com/show_bug.cgi?id=1384344
[R 2] https://security-tracker.debian.org/tracker/CVE-2016-5195
[R 3] http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html
[R 4] https://access.redhat.com/security/cve/CVE-2016-5195
[R 5] https://www.scientificlinux.org/
[R 6] https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
[R 7] https://www.scientificlinux.org/sl-errata/slsa-20162098-1/
[R 8] https://access.redhat.com/errata/RHSA-2016:2105
[R 9] https://www.scientificlinux.org/sl-errata/slsa-20162105-1/
[R 10] http://linux.web.cern.ch/linux/updates/updates-slc6.shtml
[R 11] https://lists.centos.org/pipermail/centos-announce/2016-October/022134.html
[R 12] https://lists.centos.org/pipermail/centos-announce/2016-October/022133.html
[R 13] https://wiki.egi.eu/wiki/SL5_retirement
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to
report-vulnerability at egi.eu.
The EGI Software Vulnerability Group will take a look.
Timeline
========
Yyyy-mm-dd [EGI-SVG-CVE-2016-5195]
2016-10-20 SVG alerted to this issue by Daniel Kouril
2016-10-20 Investigation of vulnerability and relevance to EGI
2016-10-20 EGI SVG Risk Assessment completed
2016-10-20 IRTF/SVG agreed to issue an urgent heads up.
2016-10-20 'Heads up' sent to sites
2016-10-24 Update sent to sites, clarifying actions
2016-10-25 Patches for RedHat 7 and SL7 available
2016-10-26 Patches for RedHat 6 and SL7 available
2016-10-26 Patches for SLC 6, CentOS 6, CentOS 7 available.
2016-10-26 Advisory update sent to sites.