[Triumf-linux-managers] Re: vulnerability in SL-5 64-bit kernel

Wed Sep 22 10:36:33 PDT 2010

*IMPORTANT* If you manage one or more 64-bit SL-5 machines then please 
read this message.

RedHat released an updated SL-5 kernel that fixes the 
privilege-escalation vulnerability that was reported last week.  The new 
version is

     kernel-2.6.18-194.11.4.el5

and is now on our mirror for all SL-5 versions.  However, it was not on 
our mirror overnight so not installed by the nightly update. You can 
update manually with

     yum clean metadata
     yum update
     reboot

If you disabled execution of 32-binaries with triumf-disable-elf32, then 
once the new fixed kernel is running you can re-enable them by 
removing the rpm.

     yum remove triumf-disable-elf32

Alternately, before rebooting you can disable the service.

     chkconfig triumf-disable-elf32 off

If you rebooted before doing this, then stop the service manually.

     service triumf-disable-elf32 stop

This vulnerability is widely known and easy to exploit so it has been 
deemed critical by the LHC-Computing-Grid security team.  I have 
forwarded their message below.  You'll note that they will boot sites 
off the grid that don't update their machines within a week.

If you manage a 64-bit SL-5 machines that has multiple users then the 
TRIUMF Computer-Security Committee feels that it is imperative that you 
either install triumf-disable-elf32, or update the kernel and reboot. If 
you don't do either of these, then it is your responsibility to inform 
your users that their account and password are at risk of being captured 
if any user on the system has a weak password or an account that has 
been comprimised in some other way.  In particular:

* Don't ssh into a vulnerable machine using a password; use only an 
ssh-key.

* Don't ssh from a vulnerable machine to anywhere else.

--
Kel Raywood
TRIUMF Computer Security Committee

--Begin Forwarded Message--

>From nixon at nsc.liu.se Wed Sep 22 07:43:48 2010
Date: Wed, 22 Sep 2010 16:42:54 +0200
From: Leif Nixon <nixon at nsc.liu.se>
To: site-security-contacts at mailman.egi.eu
Subject: [Site-Security-Contacts] Mandatory updates for critical vulnerability CVE-2010-3081 [TLP:GREEN]

** GREEN information - Community wide distribution allowed                  **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

Dear site security contacts,

Offical updates that fix the recent CVE-2010-3081 vulnerability are now
available, see references below.

You are asked to please update all worker nodes, login servers and other
user-accessible systems as soon as possible.

Since this vulnerability has been classified as critical by the EGI 
CSIRT, there is a *seven day deadline* to update your systems. This 
means your systems must be updated by September 29 21:00 UTC (23:00 
CEST).

Failure to do so may ultimately lead to site suspension.

Naturally, if you have already fixed the vulnerability by e.g. compiling
your own patched kernel or installing the previously announced SLC5
update kernel from the testing repository, you need not take any further
action.

References:

SLC5: http://linux.web.cern.ch/linux/news.shtml#cve20103081-Sept22

SL5: http://ftp.scientificlinux.org/linux/scientific/5x/x86_64/updates/security/repoview/kernel.html

Red Hat: https://rhn.redhat.com/errata/RHSA-2010-0704.html

CentOS: http://lists.centos.org/pipermail/centos-announce/2010-September/017019.html

Fedora: http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047943.html

Debian: http://www.debian.org/security/2010/dsa-2110

Ubuntu: http://www.ubuntu.com/usn/usn-988-1

Background information: https://access.redhat.com/kb/docs/DOC-40265

-- 
Leif Nixon - EGI CSIRT

_______________________________________________
Site-Security-Contacts mailing list
Site-Security-Contacts at mailman.egi.eu
https://mailman.egi.eu/mailman/listinfo/site-security-contacts