SVG:Advisory-SVG-CVE-2017-6074

From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-CVE-2017-6074




Title:       EGI SVG Advisory [TLP:WHITE] 'HIGH' risk CVE-2017-6074 linux kernel (DCCP)
             privilege escalation vulnerability  [EGI-SVG-CVE-2017-6074] 

Date:        2017-02-28 
Updated:     


Affected software and risk
==========================

HIGH risk Root escalation vulnerability affecting the Linux kernel in DCCP module

Package : kernel
CVE ID  : CVE-2017-6074

A double-free vulnerability has been found in the linux kernel module 'DCCP', which might 
allow unprivileged local users to escalate their privileges.
This vulnerability is present in all recent versions of the linux kernel prior to the patched versions. 

The most affected services are those that give shell access to unprivileged users:

- Worker Nodes
- shared User Interface hosts
- ...

This follows on from the 'Heads up' send on Thursday 23rd February. 

Actions required/recommended
============================

Sites should apply vendor kernel updates as soon as possible. 

If sites have disabled Security-Enhanced Linux (SELinux) and do not have DCCP disabled they 
should update or disable DCCP urgently.  


Affected software details
=========================

All versions of the linux kernel prior to the patched versions are affected. 

More information
================

The vulnerability itself may be considered 'CRITICAL'

As far as we are aware, this issue is only exploitable if DCCP is NOT disabled. 

Additionally, Security-Enhanced Linux (SELinux) protects against this exploit, 
therefore it is only exploitable if SELinux is disabled. 

The successful use the exploit has requirements on the environment which do not seem to be 
fulfilled at most sites, making a definite assessment between HIGH or CRITICAL difficult. 
This vulnerability has been assessed as 'HIGH' risk rather than 'CRITICAL' for the EGI 
infrastructure at present. However if it is found to be exploitable in the EGI infrastructure 
this will be elevated to 'CRITICAL' and require sites to update urgently.  
Hence we recommend that sites update as soon as possible. 

Also see:--

Original announcement [R 1]

National vulnerability Database [R 2] 

Proof of concept exploit made public [R 3]

Also [R 11]


Mitigation
==========

This vulnerability can be mitigated by disabling DCCP completely. On standard distributions, 
where it's present as a kernel module, this can be achieved by
either:
- Adding a modprobe configuration file to disable dccp by running:
```
echo "install dccp /bin/true" >> /etc/modprobe.d/CVE-2017-6074.conf
```
- Removing all DCCP kernel modules from /lib/modules

If the DCCP kernel module is already loaded (lsmod | grep dccp), a reboot might be needed 
to unload the module (rmmod will fail if still in use). Please note however that most systems 
don't load this module and a loaded module should be investigated as it could be from an exploitation attempt.

For other systems, where DCCP is statically compiled in the kernel these mitigations cannot be 
applied and a new kernel has to be built and deployed.  Check as follows:

grep CONFIG_IP_DCCP /boot/config-$(uname -r)

or:

zgrep CONFIG_IP_DCCP /proc/config.gz

In the output 'm' means module, 'y' means compiled in the kernel directly.



Component installation information
==================================

Patches have been made for all relevant versions of the linux kernel.

Sites running scientific linux should see [ R 4] 

Sites running RedHat or CentOS should see [R 5], [R 6], [R 7]

Sites running Debian should See [R 8]

Sites running Ubuntu should see [R 9]



TLP and URL
===========

** WHITE information - Unlimited distribution 
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions***      

URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2017-6074   

Minor updates may be made without re-distribution to the sites


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 10]  


References
==========

[R 1] http://seclists.org/oss-sec/2017/q1/471

[R 2] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6074

[R 3] http://seclists.org/oss-sec/2017/q1/503

[R 4] https://www.scientificlinux.org

[R 5] Red Hat https://access.redhat.com/security/cve/CVE-2017-6074

[R 6] https://access.redhat.com/errata/RHSA-2017:0293

[R 7] https://access.redhat.com/errata/RHSA-2017:0294

[R 8] Debian https://security-tracker.debian.org/tracker/CVE-2017-6074

[R 9] Ubuntu https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6074.html

[R 10] https://documents.egi.eu/public/ShowDocument?docid=2538

[R 11] https://threatpost.com/impact-of-new-linux-kernel-dccp-vulnerability-limited/123863/

Credit
======

SVG was alerted to this vulnerability by Tobias Dussa from EGI SVG.

Vulnerability originally discovered by Andrey Konovalov from Google.


Timeline  
========
Yyyy-mm-dd  [EGI-SVG-CVE-2017-6074] 

2017-02-22 SVG alerted to this issue by Tobias Dussa.
2017-02-22 Investigation of vulnerability and relevance to EGI carried out 
2017-02-23 'Heads Up' sent to sites
2017-02-24 Updated packages available, including for Scientific Linux.
2017-02-26 Proof of concept exploit made public
2017-02-27 SVG members investigating further 
2017-02-28 EGI SVG Risk Assessment completed
2017-02-28 Advisory sent to sites


Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 10]  
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, 
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending 
on how the software is used.   

Others may re-use this information provided they:-

1) Respect the provided TLP classification

2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group



On behalf of the EGI SVG,




'Heads up' is available from Advisory-SVG-2017-6074