SVG:Advisory-SVG-CVE-2017-2636

From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-CVE-2017-2636



Title:       EGI SVG Advisory [TLP:WHITE] 'HIGH' risk linux kernel privilege escalation vulnerability 
             CVE-2017-2636 [EGI-SVG-CVE-2017-2636]

Date:        2017-03-09 
Updated:     2017-04-27

Affected software and risk
==========================

'HIGH' risk privilege escalation vulnerability affecting the Linux kernel n_hdlc module

Package : Linux kernel
CVE ID  : CVE-2017-2636

A local privilege escalation race condition in n_hdlc in linux kernel driver has been found.  [R 1], [R 2]

This vulnerability is present in all recent versions of the linux kernel prior to the patched versions. 

The most affected services are those that give shell access to unprivileged users:

- Worker Nodes
- shared User Interface hosts
- ...

 
Actions required/recommended
============================

**UPDATE 2017-04-27**   

Patched versions now available for all relevant Linux distributions.

Sites should apply vendor kernel updates if they have not done so already.


Affected software details
=========================

All recent versions of the linux kernel prior to the patched versions are affected.

More information
================

More information can be found at [R 1], [R 2], [R 3]

If this vulnerability is found to be exploitable in the EGI infrastructure it will be 
elevated to 'CRITICAL' and require sites to update urgently.  
Hence we recommend that sites update as soon as possible. 

Note that this is a new vulnerability, this is NOT an update of CVE-2017-6074 although 
the effect and risk are similar, and hence SVG is making similar recommendations.

Mitigation
==========

This vulnerability can be mitigated by disabling the n_hdlc kernel module, see [R 2] and [R 5]


Component installation information
==================================

Sites running Scientific Linux should see [R 4]

Sites running RedHat should see [R 5] 

Sites running Debian should see [R 6]

Sites running Ubuntu should see [R 7]


TLP and URL
===========

** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions**               
       
URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2017-2636   

Minor updates may be made without re-distribution to the sites


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 8]  


References
==========

[R 1] http://seclists.org/oss-sec/2017/q1/569

[R 2] http://seclists.org/oss-sec/2017/q1/572

[R 3] NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2636

[R 4] https://www.scientificlinux.org/

[R 5] Red Hat https://access.redhat.com/security/cve/CVE-2017-2636

[R 6] Debian https://security-tracker.debian.org/tracker/CVE-2017-2636

[R 7] Ubuntu  http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2636.html 

[R 8] https://documents.egi.eu/public/ShowDocument?docid=2538

Credit
======

SVG was alerted to this vulnerability by  Vincent Brillault 


Timeline  
========
Yyyy-mm-dd  [EGI-SVG-CVE-2017-2636] 

2017-03-09 SVG alerted to this issue by Vincent Brillault
2017-03-09 Investigation of vulnerability and relevance to EGI carried out by 
2017-03-09 EGI SVG Risk Assessment completed
2017-03-09 Advisory/Alert sent to sites
2017-04-12 Updated packages available for all relevant distributions
2017-04-27 Advisory updated.


Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 8]  
in the context of how the software is used in the EGI infrastructure. 
It is the opinion of the group, we do not guarantee it to be correct. 
The risk may also be higher or lower in other deployments depending on how the software is used.   

Others may re-use this information provided they:-

1) Respect the provided TLP classification

2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group