Difference between revisions of "SVG:Advisory-SVG-CVE-2021-27365"

From EGIWiki
Jump to: navigation, search
(Created page with "{{svg-header}} <pre> This advisory has not been made public yet. </pre>")
 
 
Line 3: Line 3:
 
<pre>
 
<pre>
  
This advisory has not been made public yet.  
+
Title:      EGI SVG 'ADVISORY'  [TLP:WHITE] CRITICAL risk Local Privilege Escalation via iSCSI
 +
CVE-2021-27365 [EGI-SVG-CVE-2021-27365]
 +
 
 +
Date:        2021-03-17
 +
Updated:    2021-04-19, 2021-06-01
 +
 
 +
Affected software and risk
 +
==========================
 +
 
 +
CRITICAL risk vulnerability concerning Local Privilege Escalation via iSCSI
 +
 
 +
Package : Linux iSCSI
 +
CVE ID  : CVE-2021-27363, CVE-2021-27364, CVE-2021-27365
 +
 
 +
A flaw was found in the Linux kernel. A heap buffer overflow in the iSCSI subsystem is triggered by setting an iSCSI string
 +
attribute to a value larger than one page and then trying to read it. The highest threat from this vulnerability is a
 +
Local Privilege Escalation to root. [R 1]
 +
 
 +
More information in [R 2], [R 3]
 +
 
 +
Actions required/recommended
 +
============================
 +
 
 +
** UPDATE 2021-04-19 **
 +
 
 +
Updates are now available for RHEL 7, RHEL 8, [R 1] and CentOS7 [R 5].
 +
 
 +
Updates also appear to be available for Scientific Linux, as the appropriate version of the kernel is in the repository [R 6],
 +
and notification sent [R 7] even though the errata [R 8] has not been updated.
 +
 
 +
** UPDATE 2 2021-04-19 **
 +
 
 +
All running resources MUST be either patched or have mitigation
 +
in place or software removed by 2021-04-27  00:00 UTC
 +
 
 +
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension.
 +
 
 +
Note: the iSCSI subsystem is only required on hosts that actually have some need to interact with SCSI HW via a network.
 +
 
 +
 
 +
Component installation information
 +
==================================
 +
 
 +
Sites installing RHEL should see [R 1]
 +
 
 +
Sites installing CentOS7 should see [R 5]
 +
 
 +
Sites installing Scientific Linux should see [R 7]
 +
 
 +
Mitigation
 +
==========
 +
 
 +
This has been copied directly from the RedHat site [R 1]
 +
 
 +
The LIBISCSI module will be auto-loaded when required, its use can be disabled by preventing
 +
the module from loading with the following instructions:
 +
 
 +
# echo "install libiscsi /bin/true" >> /etc/modprobe.d/disable-libiscsi.conf
 +
 
 +
The system will need to be restarted if the libiscsi modules are loaded. In most circumstances,
 +
the libiscsi kernel modules will be unable to be unloaded while any network interfaces are active and the protocol is in use.
 +
 
 +
If the system requires iscsi to work correctly, this mitigation may not be suitable.
 +
 
 +
 
 +
More information
 +
================
 +
 
 +
At least 1 site in the UK has carried out the mitigation, and no problems have been experienced.
 +
 
 +
Sites may wish to try `lsmod | grep iscsi` to find out if iSCSI has been loaded prior to carrying out the mitigation.
 +
 
 +
An update will be provided when this vulnerability has been fixed.
 +
 
 +
TLP and URL
 +
===========
 +
 
 +
** WHITE information - Unlimited distribution
 +
  - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** 
 +
 
 +
URL:  https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2021-27365   
 +
 
 +
Minor updates may be made without re-distribution to the sites
 +
 
 +
 
 +
Comments
 +
========
 +
 
 +
Comments or questions should be sent to svg-rat  at  mailman.egi.eu
 +
 
 +
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to 
 +
 
 +
report-vulnerability at egi.eu
 +
 +
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 4] 
 +
 
 +
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era.
 +
 
 +
 
 +
References
 +
==========
 +
 
 +
[R 1] https://access.redhat.com/security/cve/CVE-2021-27365
 +
 
 +
[R 2] https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
 +
 
 +
[R 3] https://nvd.nist.gov/vuln/detail/CVE-2021-27365
 +
 
 +
[R 4] https://documents.egi.eu/public/ShowDocument?docid=3145
 +
 
 +
[R 5] https://lists.centos.org/pipermail/centos-announce/2021-April/048298.html
 +
 
 +
[R 6] http://ftp.scientificlinux.org/linux/scientific/7/x86_64/updates/security/
 +
 
 +
[R 7] https://listserv.fnal.gov/scripts/wa.exe?A2=ind2104&L=SCIENTIFIC-LINUX-ERRATA&P=76
 +
 
 +
[R 8] https://www.scientificlinux.org/category/sl-errata/
 +
 
 +
Credit
 +
======
 +
 
 +
SVG was alerted to this vulnerability by David Crooks 
 +
 
 +
 
 +
Timeline 
 +
========
 +
Yyyy-mm-dd  [EGI-SVG-2021-CVE-2021-27365]
 +
 
 +
2021-03-16 SVG alerted to this issue by David Crooks
 +
2021-03-16 Acknowledgement from the EGI SVG to the reporter
 +
2021-03-17 EGI SVG Risk Assessment completed
 +
2021-03-17 Advisory to sites to carry out mitigation
 +
2021-04-19 Advisory updated as relevant versions of linux have been fixed.
 +
2021-04-19 Further update to require sites to update in 7 days.
 +
2021-06-01 Changed to [TLP:WHITE] and placed on the wiki.
 +
 
 +
 
 +
Context
 +
=======
 +
 
 +
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose
 +
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"
 +
 
 +
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 4] 
 +
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group,
 +
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending
 +
on how the software is used. 
 +
 
 +
-----------------------------
 +
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and
 +
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited.
 +
-----------------------------
 +
 
 +
 
 +
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity
 +
of the EGI infrastructure and the services in the EOSC-hub catalogue.
 +
 
 +
On behalf of the EGI SVG,
 +
 
 +
 
 +
 
  
 
</pre>
 
</pre>

Latest revision as of 17:35, 1 June 2021

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-CVE-2021-27365



Title:       EGI SVG 'ADVISORY'  [TLP:WHITE] CRITICAL risk Local Privilege Escalation via iSCSI 
CVE-2021-27365 [EGI-SVG-CVE-2021-27365] 

Date:        2021-03-17
Updated:     2021-04-19, 2021-06-01 

Affected software and risk
==========================

CRITICAL risk vulnerability concerning Local Privilege Escalation via iSCSI

Package : Linux iSCSI
CVE ID  : CVE-2021-27363, CVE-2021-27364, CVE-2021-27365

A flaw was found in the Linux kernel. A heap buffer overflow in the iSCSI subsystem is triggered by setting an iSCSI string 
attribute to a value larger than one page and then trying to read it. The highest threat from this vulnerability is a 
Local Privilege Escalation to root. [R 1]

More information in [R 2], [R 3]

Actions required/recommended
============================

** UPDATE 2021-04-19 **

Updates are now available for RHEL 7, RHEL 8, [R 1] and CentOS7 [R 5]. 

Updates also appear to be available for Scientific Linux, as the appropriate version of the kernel is in the repository [R 6], 
and notification sent [R 7] even though the errata [R 8] has not been updated.

** UPDATE 2 2021-04-19 **

All running resources MUST be either patched or have mitigation
in place or software removed by 2021-04-27  00:00 UTC

Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. 

Note: the iSCSI subsystem is only required on hosts that actually have some need to interact with SCSI HW via a network.


Component installation information
==================================

Sites installing RHEL should see [R 1]

Sites installing CentOS7 should see [R 5]

Sites installing Scientific Linux should see [R 7]

Mitigation
==========

This has been copied directly from the RedHat site [R 1] 

The LIBISCSI module will be auto-loaded when required, its use can be disabled by preventing 
the module from loading with the following instructions:

# echo "install libiscsi /bin/true" >> /etc/modprobe.d/disable-libiscsi.conf

The system will need to be restarted if the libiscsi modules are loaded. In most circumstances, 
the libiscsi kernel modules will be unable to be unloaded while any network interfaces are active and the protocol is in use.

If the system requires iscsi to work correctly, this mitigation may not be suitable.


More information
================

At least 1 site in the UK has carried out the mitigation, and no problems have been experienced.

Sites may wish to try `lsmod | grep iscsi` to find out if iSCSI has been loaded prior to carrying out the mitigation.

An update will be provided when this vulnerability has been fixed.

TLP and URL
===========

** WHITE information - Unlimited distribution 
   - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **  

URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2021-27365    

Minor updates may be made without re-distribution to the sites


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 4]  

Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. 


References
==========

[R 1] https://access.redhat.com/security/cve/CVE-2021-27365

[R 2] https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html

[R 3] https://nvd.nist.gov/vuln/detail/CVE-2021-27365

[R 4] https://documents.egi.eu/public/ShowDocument?docid=3145

[R 5] https://lists.centos.org/pipermail/centos-announce/2021-April/048298.html

[R 6] http://ftp.scientificlinux.org/linux/scientific/7/x86_64/updates/security/

[R 7] https://listserv.fnal.gov/scripts/wa.exe?A2=ind2104&L=SCIENTIFIC-LINUX-ERRATA&P=76

[R 8] https://www.scientificlinux.org/category/sl-errata/ 

Credit
======

SVG was alerted to this vulnerability by David Crooks  


Timeline  
========
Yyyy-mm-dd  [EGI-SVG-2021-CVE-2021-27365] 

2021-03-16 SVG alerted to this issue by David Crooks
2021-03-16 Acknowledgement from the EGI SVG to the reporter 
2021-03-17 EGI SVG Risk Assessment completed
2021-03-17 Advisory to sites to carry out mitigation
2021-04-19 Advisory updated as relevant versions of linux have been fixed.
2021-04-19 Further update to require sites to update in 7 days.
2021-06-01 Changed to [TLP:WHITE] and placed on the wiki.


Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 4]  
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, 
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending 
on how the software is used.   

-----------------------------
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and 
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. 
-----------------------------


Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity 
of the EGI infrastructure and the services in the EOSC-hub catalogue.

On behalf of the EGI SVG,