SVG:Advisory-SVG-2015-CVE-2015-7183

From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2015-CVE-2015-7183




** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **


EGI SVG   ADVISORY [EGI-SVG-NSS-CVE-2015-7183] 

Title:       EGI SVG Advisory - 'Critical' risk. Remote arbitrary code execution vulnerabilities 
             in the core crypto library used by RedHat. 


Date:        2015-11-06 
Updated:     


URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-CVE-2015-7183

Introduction
============

RedHat has released fixes to their core crypto library which they describe as 'critical' [R 1] 

The vulnerabilities are CVE-2015-7181, CVE-2015-7182, CVE-2015-7183 and are in the US National 
Vulnerability Database (NVD) [R 2] [R 3] and [R 4] 

All three may allow remote code execution, which may be as root, for an unauthenticated attacker. 

Despite the fact that full details are not available, and we have not demonstrated that it is 
possible to carry out an attack on the EGI infrastructure, we are asking sites to update urgently.


Details
=======

See [R 1] [R 5] [R 6],

NVD entries are at [R 2], [R 3] and [R 4]

Note that RedHat is using NSS (which originally is the Netscape Secure Sockets implementation, 
nowadays used by Firefox and others) as the generic crypt library for RedHat,  used for e.g. TLS 
(and its predecessor SSL) and other certificate handling instead of OpenSSL or GnuTLS.


Risk category
=============

This issue has been assessed as 'Critical' risk by the EGI SVG Risk Assessment Team.  


Affected software
=================

All software where the SSL handshaking is based on Mozilla Network security 
services which includes RedHat and it's derivatives.

This includes Redhat Linux versions 6 and 7 and their derivatives.

GnuTLS and OpenSSL are not affected. 


Mitigation
==========

N/A


Component installation information
==================================

See RH and derivatives own documentations.

For scientific linux see  [R 7] 

Some services may need to be re-started.

Where possible it is suggested that sites re-boot after installing the updates.

If this is not possible, Site admins MUST check for ALL services that are still 
using the libnss libraries, e.g. using

    yum ps

(when available via yum-plugin-ps) 

or    

   needs-restarting

(when available via yum-utils) 


or this oneliner:
    grep -l 'libnss.*deleted' /proc/*/maps | tr -cd 0-9\\n | xargs -r ps u 




Recommendations
===============

All running resources based on Red hat and it's derivatives MUST be  patched by 2015-11-13  T21:00+01:00. 

Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. 


Credit
======

SVG was alerted to this vulnerability by Frederic Schaer.



References
==========

[R 1] https://rhn.redhat.com/errata/RHSA-2015-1981.html

[R 2] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7181

[R 3] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7182

[R 4] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7183

[R 5] https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/

[R 6] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.2.1_release_notes#Security_Advisories

[R 7] https://www.scientificlinux.org/sl-errata/slsa-20151981-1/



Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

We are currently revising the vulnerability issue handling procedure so suggestions 
and comments are welcome. 



Timeline  
========
Yyyy-mm-dd

2015-11-04 Redhat released patches for these vulnerabilities
2015-11-04 Frederic Schaer alerted EGI to this announcement
2015-11-05 Acknowledgement from the EGI SVG to the reporter
2015-11-05 Risk Assessment by the EGI Software Vulnerability Group
2015-11-06 Advisory sent to sites. 



On behalf of the EGI SVG,