SVG:Advisory-SVG-CVE-2016-5195
Jump to navigation
Jump to search
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-CVE-2016-5195
Title: EGI SVG 'Heads up'[TLP:WHITE ] 'CRITICAL' Risk CVE-2016-5195 Linux kernel privilege escalation [EGI-SVG-CVE-2016-5195] Date: 2016-10-20 Updated: 2016-10-23 (Wiki only - further updates expected on 24th) Affected software and risk ========================== CRITICAL risk vulnerability concerning Linux kernel Package : Linux Kernel CVE ID : CVE-2016-5195 A kernel vulnerability has been found concerning a race condition allowing an unprivileged local user to gain write access to otherwise read only mappings and increase their privilege in the system. At present this is a 'Heads up'. However sites running an OS where patches are available should urgently install the new version. (Currently Debian and Ubuntu.) **UPDATE 23rd October 2016** ============================ The CVE-2016-5195 vulnerability is a critical bug in the Linux kernel that allows a normal user to get administrator rights. Since the vulnerability was publicly announced last week, various exploits have emerged, which are public and easy to use, making the vulnerability easy to abuse. Unlike original reports, some exploits were reported to work with RHEL5/6 systems. We request EGI sites to take immediate actions to remove or mitigate the vulnerability from their systems. While many mainstream Linux distributions have provided proper security updates, at the time of writing there is no update from RedHat providing a fix for the vulnerability for RH-based systems. There are, however, mitigation precautions that could be used. The RedHat announcement recommends setting for SystemTap to protect from the exploit. Cern has built a package providing the mitigation, which can be found at http://linuxsoft.cern.ch/cern/slc6X/updates/testing/x86_64/RPMS/cve_2016_5195-0.3- 1.slc6.x86_64.rpm http://linuxsoft.cern.ch/cern/centos/7/cern-testing/x86_64/Packages/cve_2016_5195- 0.3-1.el7.cern.x86_64.rpm Details can be found at https://gitlab.cern.ch/ComputerSecurity/cve_2016_5195 Another possibility is to block the system calls via which the vulnerability is exploited. CESNET provided an implementation of the module at https://github.com/bodik/dirtyc0w/tree/master/nomadvise For sites running a recent (642 series) version of *CentOS* 6 - they could try the package built by Nikhef on a CentOS 6 host and minimally tested on some worker nodes in the Nikhef preprod: https://software.nikhef.nl/experimental/cve_2016_5195/ If you cannot update any technical mitigation, we advise you to consider to declare a downtime for your site and disable user access to your systems. Actions required/recommended ============================ **THIS IS EDPECTED TO BE UPDATED AROUND MIDDAY ON 24th October 2016** Sites running an OS where patches are available (currently Debian and Ubuntu) are advised to install the new version within the next 7 days. Machines allowing unprivileged user access, such as Grid Worker Nodes, should be prioritised. At this stage a rolling update and reboot is recommended as sufficient. Other sites, running an OS where patches are not available yet should prepare the update, which they will be required to apply within 7 days when new version will be available. Sites are also encouraged to investigate workarounds (e.g. systemtap) for systems with direct unprivileged user access, such as User Interfaces. Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. Affected software details ========================= See relevant OS providers. More information ================ More information is available from RedHat [R 1] This advisory will be updated when patches become available for more different operating systems. Component installation information ================================== Sites running Debian should see [R 2] Sites running Ubuntu should see [R 3] Sites running RedHat should see [R 4] (patch not available at time of writing) Sites running Scientific Linux (SL) should see [R 5] (patch not available at time of writing) TLP and URL =========== ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-5195 Minor updates may be made without re-distribution to the sites Credit ====== SVG was alerted to this vulnerability by Daniel Kouril who is a member of SVG References ========== [R 1] https://bugzilla.redhat.com/show_bug.cgi?id=1384344 [R 2] https://security-tracker.debian.org/tracker/CVE-2016-5195 [R 3] http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html [R 4] https://access.redhat.com/security/cve/CVE-2016-5195 [R 5] https://www.scientificlinux.org/ Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look. Timeline ======== Yyyy-mm-dd [EGI-SVG-CVE-2016-5195] 2016-10-20 SVG alerted to this issue by Daniel Kouril 2016-10-20 Investigation of vulnerability and relevance to EGI carried out 2016-10-20 EGI SVG Risk Assessment completed 2016-10-20 IRTF/SVG agreed to issue an urgent heads up. 2016-10-20 'Heads up' sent to sites On behalf of the EGI SVG,