[Triumf-linux-managers] Another year, another Linux privilege-escalation vulnerability

Fri Jan 7 16:00:07 PST 2011

Quick summary

This latest vulnerability affects ScientificLinux-5 .  If you installed 
from a TRIUMF kickstart you don't need to do anything. You will be 
automatically protected after the overnight automatic-updates run this 
evening.

Background

In the last couple of years several Linux kernel-modules have been 
identified as being vulnerable to exploitation by a non-root user, 
resulting in the user gaining root privileges; ie. privilege escalation.
Scripts to exploit the vulnerabilties can be downloaded from the 
internet and require no special skills or knowledge to use.

Another vulnerable kernel-module has been identified in the kernel of 
RedHat Enterprise Linux-5.  Thus it afects the derviatives, 
ScientificLinux-5 and Centos-5.  See the attached message for details.

Unfortunately, there seems to be a trend to in these notices arriving on 
a Friday.  Apologies to all if this is an inconvenient time to receive 
this message.

The TRIUMF-rpm workaround

RedHat have released a patched kernel which has been rebuilt by 
ScientificLinux and is already on our mirror.  Presuming that you have 
not disabled auto-updates, this kernel will already be on your system 
and so a reboot will protect you from this latest identified vulnerability.

However, rebooting is not always convenient and you can still be 
protected by ensuring that a non-root user cannot cause the vulnerable 
kernel-module to be loaded.  In 2009 I created an rpm called

         triumf-disable-vul_kmod

and encouraged all managers of SL machines to install it.  The modules 
it disables are generally not useful on workstation PCs so there is no 
downside to installing it.  Nevertheless, the uptake has been 
underwhelming.  The TRIUMF kickstart installs an rpm called 
"triumf-nodeinfo" which contains a script that sends info about the 
system each day, to a TRIUMF server.  Among the info it sends is a 
complete list of installed packages.

The TRIUMF kickstart also installs a package called 
"triumf-workstation". It is a meta-package containing no files but 
depends on "triumf-printers" and "triumf-syslog".  I have updated 
triumf-workstation so that it also depends on triumf-disable-vul_kmod. 
Thus, the nightly update will get the latest version of 
triumf-workstation which will cause triumf-disable-vul_kmod to be installed.

So as I said in the quick summary, providing that you have not disabled 
auto-updates are remove triumf-workstation, your system will 
automatically be protected from the latest vulnerability after the 
regular overnight auto-update.

If you can't wait for the overnight update, do

         yum clean metadata
         yum update triumf-workstation

--
Kel Raywood
Core Computing and Networking

-------- Forwarded Message --------
Subject: [Site-Security-Contacts] High Risk Vulnerability CVE-2010-3859 
kernel: heap overflow in tipc_msg_build() [EGI-ADV-20110701]
Date: Fri, 7 Jan 2011 17:10:08 +0200

** WHITE information - Unlimited distribution allowed 
     **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution 
restrictions **

EGI CSIRT ADVISORY [EGI-ADV-20110701]

Title:       High Risk Vulnerability CVE-2010-3859 kernel: heap overflow 
in tipc_msg_build() [EGI-ADV-20110701]
Date:        January 07, 2011
Last update: January 07, 2011
URL:         https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/tipc-2011-01-07

Introduction
============

A problem in the TIPC module has been detected, with the
potential of giving any local user root privileges. This vulnerability
has been labelled CVE-2010-3859.

This vulnerability affects RHEL5 and its derivatives.

No public exploit for this issue is currently known, but the EGI CSIRT
considers this to be a high risk vulnerability.

Kernel update from Linux venders are available. Please note, the patched
kernel (kernel-2.6.18-194.32.1.el5) also addressed CVE-2010-3865 (RDS 
module vulnerability)

Details
=======

The tipc_msg_build() function in net/tipc/msg.c contains an exploitable 
kernel heap overflow that would allow a local user to escalate 
privileges to root by issuing maliciously crafted sendmsg() calls via 
TIPC sockets.

This issue did not affect the version of Linux kernel as shipped with 
Red Hat Enterprise Linux 3, 4, 6 and Red Hat Enterprise MRG as they did 
not include support for Transparent Inter-Process Communication Protocol 
(TIPC).

This flaw has been addressed by the following kernel version which EGI 
CSIRT  strongly recommends to be deployed: kernel-2.6.18-194.32.1.el5 
(or later)

After upgrading (and rebooting) to the new kernel, it is still 
recommended to blacklist the unused kernel module (tipc).

For sites that aren't able to update their kernel please check the
mitigation that follows in to blacklist the module.

Mitigation
==========

Most systems do not utilize TIPC and can simply block the vulnerability
by blacklisting the TIPC module (after unloading it if it is present),
for instance by running this script:

------------------

#!/bin/sh

# Unload the module

if lsmod | grep -q '^tipc '; then
   echo "TIPC was loaded"
fi
rmmod tipc 2>/dev/null
if lsmod | grep -q '^tipc '; then
   echo "FAILED to unload TIPC"
fi

# Blacklist the module
echo "blacklist tipc" >> /etc/modprobe.d/blacklist

------------------

This will take effect immediately and does NOT require a reboot. The
blacklisting will stay persistent across reboots.

Please note that if you indeed use the TIPC module the only solution is
to deploy a patched kernel.

Recommendations
===============

Linux vendors have released patched kernel. Please apply vendor kernel 
update as soon as possible.

Under exceptional circumstance, if you can not update the kernel, please 
immediately apply
the mitigation described above to all user-accessible systems.

It is recommended to keep this module blacklisted if not needed at your 
site, even after
updating the kernel.

References
==========
https://bugzilla.redhat.com/show_bug.cgi?id=645867
https://www.redhat.com/security/data/cve/CVE-2010-3859.html
https://rhn.redhat.com/errata/RHSA-2011-0004.html

http://listserv.fnal.gov/scripts/wa.exe?A2=ind1101&L=scientific-linux-errata&T=0&P=78

http://www.openwall.com/lists/oss-security/2010/10/22/2
http://marc.info/?l=linux-netdev&m=128770476511716&w=2