Difference between revisions of "SVG:Advisory-SVG-CVE-2017-2636"

From EGIWiki
Jump to: navigation, search
(Minor updates to the text, as discussed over email)
Line 30: Line 30:
 
============================
 
============================
  
Sites should apply vendor kernel updates as soon as possible, if updates are available.
+
If updates are not available, sites should apply the mitigation action as soon as possible.
  
If updates are not available, sites should consider taking mitigating action.
+
if vendor kernel updates are available, sites should apply those as soon as possible.
  
 
Affected software details
 
Affected software details
Line 54: Line 54:
 
==========
 
==========
  
Mitigation is suggested in [R 2] and [R 5]
+
This vulnerability can be mitigated by disabling the n_hdlc kernel module, see [R 2] and [R 5]
  
  

Revision as of 13:45, 10 March 2017

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-CVE-2017-2636



Title:       EGI SVG Advisory [TLP:WHITE] 'HIGH' risk linux kernel privilege escalation vulnerability 
             CVE-2017-2636 [EGI-SVG-CVE-2017-2636]

Date:        2017-03-09 
Updated:    

Affected software and risk
==========================

'HIGH' risk privilege escalation vulnerability affecting the Linux kernel n_hdlc module

Package : Linux kernel
CVE ID  : CVE-2017-2636

A local privilege escalation race condition in n_hdlc in linux kernel driver has been found.  [R 1], [R 2]

This vulnerability is present in all recent versions of the linux kernel prior to the patched versions. 

The most affected services are those that give shell access to unprivileged users:

- Worker Nodes
- shared User Interface hosts
- ...

Actions required/recommended
============================

If updates are not available, sites should apply the mitigation action as soon as possible.

if vendor kernel updates are available, sites should apply those as soon as possible.

Affected software details
=========================

All recent versions of the linux kernel prior to the patched versions are affected.

More information
================

More information can be found at [R 1], [R 2], [R 3]

If this vulnerability is found to be exploitable in the EGI infrastructure it will be 
elevated to 'CRITICAL' and require sites to update urgently.  
Hence we recommend that sites update as soon as possible. 

Note that this is a new vulnerability, this is NOT an update of CVE-2017-6074 although 
the effect and risk are similar, and hence SVG is making similar recommendations.

Mitigation
==========

This vulnerability can be mitigated by disabling the n_hdlc kernel module, see [R 2] and [R 5]


Component installation information
==================================

Patches are not yet available for Red Hat Linux and its derivatives [R 4], [R 5] 

Sites running Debian should see [R 6]

Sites running Ubuntu should see [R 7]


TLP and URL
===========

** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions**               
       
URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2017-2636   

Minor updates may be made without re-distribution to the sites


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 8]  


References
==========

[R 1] http://seclists.org/oss-sec/2017/q1/569

[R 2] http://seclists.org/oss-sec/2017/q1/572

[R 3] NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2636

[R 4] https://www.scientificlinux.org/

[R 5] Red Hat https://access.redhat.com/security/cve/CVE-2017-2636

[R 6] Debian https://security-tracker.debian.org/tracker/CVE-2017-2636

[R 7] Ubuntu  http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2636.html 

[R 8] https://documents.egi.eu/public/ShowDocument?docid=2538

Credit
======

SVG was alerted to this vulnerability by  Vincent Brillault 


Timeline  
========
Yyyy-mm-dd  [EGI-SVG-CVE-2017-2636] 

2017-03-09 SVG alerted to this issue by Vincent Brillault
2017-03-09 Investigation of vulnerability and relevance to EGI carried out by 
2017-03-09 EGI SVG Risk Assessment completed
2017-03-09 Advisory/Alert sent to sites
2017-??-?? Updated packages available for all relevant distributions
2017-??-?? Public disclosure


Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 8]  
in the context of how the software is used in the EGI infrastructure. 
It is the opinion of the group, we do not guarantee it to be correct. 
The risk may also be higher or lower in other deployments depending on how the software is used.   

Others may re-use this information provided they:-

1) Respect the provided TLP classification

2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group