 www.centos.org Forum Index CentOS 5 - Security Support  Linux kernel vulnerability?
|
 Bottom  Previous Topic  Next Topic |
|
|
|
|
|
|---|
Topic options
Threaded
Newest First| Poster | Thread | Rated: 4 Votes |
|---|
|
Linux kernel vulnerability? | #1 |
|
|---|---|---|---|
|
Jr Board Member
 
Joined: 2009/3/15
From Utrecht, The Netherlands
Posts: 29
|
Dear *,
I was flooded this morning with the following warning from EGEE Security Team (European Grid infrastructure). "We have reports that the exploit works on various systems, including RHEL4 and 5 as well as on Ubuntu 8.10" This sentence was referring to the following linux kernel vulnerability reported yesterday: "It affects all 2.4 and 2.6 kernels since 2001 on all architectures. We believe this is the public vulnerability affecting the greatest number of kernel versions." The full post : http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html I'm not at all proficient in kernel security issues, but would like to have an opinion from CentOS community. Seems that Linus already as a patch for the problem: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98 Is this being taken care? For non-technical experts as me, what can we do? Wait for a new kernel release? Many thanks for your time. Cheers, N. |
||
Posted on: 2009/8/14 13:56
  |
 |
||
nunolf
|
Re: Linux kernel vulnerability? | #2 |
|
|---|---|---|---|
|
Moderator
Joined: 2006/9/3
From California, US
Posts: 6921
|
Yes, Red Hat is aware of the issue. CentOS devs are also working on it. More info:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2692 |
||
Posted on: 2009/8/14 15:01
|
|
||
|
Re: Linux kernel vulnerability? | #3 |
|
|---|---|---|---|
|
Moderator
Joined: 2006/9/3
From California, US
Posts: 6921
|
A temporary workaround for it is to remove the following kernel modules:
ipx.ko irda.ko x25.ko ax25.ko bluetooth.ko sctp.ko pppoe.ko pppox.ko appletalk.ko |
||
Posted on: 2009/8/14 15:04
|
|
||
|
Re: Linux kernel vulnerability? | #4 |
|
|---|---|---|---|
|
Jr Board Member
Joined: 2009/3/15
From Utrecht, The Netherlands
Posts: 29
|
Great to know.
Thanks. N. |
||
Posted on: 2009/8/14 15:14
|
|
||
|
Re: Linux kernel vulnerability? | #5 |
|
|---|---|---|---|
|
Peeking in the Member Window
Joined: 2009/8/14
From
Posts: 12
|
Are these modules compiled into the stock kernel used by CentOS? Or would they have to specifically be added with insmod or modprobe?
|
||
Posted on: 2009/8/14 15:51
|
|
||
|
Re: Linux kernel vulnerability? | #6 |
|
|---|---|---|---|
|
Moderator
Joined: 2006/9/3
From California, US
Posts: 6921
|
You can check it by running a /sbin/lsmod command on your system.
|
||
Posted on: 2009/8/14 15:55
|
|
||
|
Re: Linux kernel vulnerability? | #7 |
|
|---|---|---|---|
|
Peeking in the Member Window
Joined: 2009/8/14
From
Posts: 12
|
So if none of these modules show up in an lsmod then you should be alright. Is that correct?
|
||
Posted on: 2009/8/14 16:02
|
|
||
|
Re: Linux kernel vulnerability? | #8 |
|
|---|---|---|---|
|
Moderator
Joined: 2006/9/3
From California, US
Posts: 6921
|
That is my current understanding from what I have read and seen.
|
||
Posted on: 2009/8/14 16:04
|
|
||
|
Re: Linux kernel vulnerability? | #9 |
|
|---|---|---|---|
|
Peeking in the Member Window
Joined: 2009/8/14
From
Posts: 12
|
Is the ipv6 module affected by this?
|
||
Posted on: 2009/8/14 16:25
|
|
||
|
Re: Linux kernel vulnerability? | #10 |
|
|---|---|---|---|
|
Moderator
Joined: 2006/9/3
From California, US
Posts: 6921
|
I do not know the answer to that question. Let's wait and see how CentOS devs come up with an interim solution.
|
||
Posted on: 2009/8/14 16:46
|
|
||
|
Re: Linux kernel vulnerability? | #11 |
|
|---|---|---|---|
|
Regular Board Member
Joined: 2008/3/20
From Canada
Posts: 180
|
Note that, as I understand it, this issue can generally only be exploited if you have local root access already, or can inject your code into a program which has local root access via cron or setuid; in which case you can do whatever you want anyway. The main exception is that SELinux appears to allow normal unconfined user processes to map memory to page zero regardless of user ID and capability settings, so as far as I can see it's only a critical issue if you do have SELinux enabled and allow a hostile user to log into the system.
There is a larger issue, however, where null pointer bugs could still be exploited if they're passed into code which calculates an offset from the null pointer which happens to end up beyond the configured lower memory limit; code which accesses ( pointer + 65536 ) would still execute if the pointer was null and the memory limit was 64k, for example. It's an interesting avenue for attacks which people will hopefully consider more carefully in future. |
||
Posted on: 2009/8/14 19:45
|
|
||
|
Re: Linux kernel vulnerability? | #12 |
|
|---|---|---|---|
|
Moderator
Joined: 2006/9/3
From California, US
Posts: 6921
|
Quote:
To add some note to it ... it applies to both SELinux "enabled" and "permissive" . Chances are, security-conscious admins are all affected ... |
||
Posted on: 2009/8/14 19:57
|
|
||
|
Re: Linux kernel vulnerability? | #13 |
|
|---|---|---|---|
|
Newbie
Joined: 2009/8/15
From
Posts: 2
|
Quote:
That is not accurate. So long as you have the ability to run arbitrary code on a vulnerable system, you can exploit it, generally regardless of your current privilege level. This is why it is being called a "local privilege escalation" -- it can be exploited to escalate your privilege level. If it were only exploitable by root, it would not generally be considered a vulnerability, much less "privilege escalation". |
||
Posted on: 2009/8/15 16:31
|
|
||
|
Re: Linux kernel vulnerability? | #14 |
|
|---|---|---|---|
|
Newbie
Joined: 2009/7/30
From
Posts: 7
|
Do you think I need to disable ipv6 module if I have already disabled sctp?
|
||
Posted on: 2009/8/15 20:58
|
|
||
|
Re: Linux kernel vulnerability? | #15 |
|
|---|---|---|---|
|
Regular Board Member
Joined: 2008/3/20
From Canada
Posts: 180
|
Quote:
No, your post is not accurate. This exploit _requires that you can map memory into page zero_, which is normally not mapped to anywhere and will cause a crash if any process attempts to access it. That normally requires extra privileges which ordinary users don't have, but various operating systems do allow normal users to do so, which then allows them to get root through this exploit. CentOS allows unconfined processes to do so if you have SELinux enabled, and Ubuntu does if you have Wine installed, for example. It is not generally exploitable if the operating system is not configured to allow unprivileged users to map memory into page zero; 'generally' because there's at least one program which runs as root which can be exploited to do so if it's installed. |
||
Posted on: 2009/8/16 19:05
|
|
||
|
Re: Linux kernel vulnerability? | #16 |
|
|---|---|---|---|
|
Peeking in the Member Window
Joined: 2009/8/14
From
Posts: 12
|
Any timetable for when an updated kernel will be released?
|
||
Posted on: 2009/8/17 13:56
|
|
||
|
Re: Linux kernel vulnerability? | #17 |
|
|---|---|---|---|
|
Moderator
Joined: 2007/10/22
From ~/Earth/UK/England/Suffolk
Posts: 9138
|
I cannot answer that question directly, as it depends upon TUV.
I've just made a check their sources and see that kernel-2.6.18-128.4.1.el5 is still current. Perhaps checking their bugtracker may give you some idea of the timeframe. |
||
Posted on: 2009/8/17 14:49
|
|
||
|
Re: Linux kernel vulnerability? | #18 |
|
|---|---|---|---|
|
Moderator
Joined: 2006/9/3
From California, US
Posts: 6921
|
The URL for the upstream bugzilla can be found in note #2 ... or here:
https://bugzilla.redhat.com/show_bug.cgi?id=516949 Looks like Fedora 10 and 11 now have a patched kernel. |
||
Posted on: 2009/8/17 15:01
|
|
||
|
Re: Linux kernel vulnerability? | #19 |
|
|---|---|---|---|
|
Moderator
Joined: 2007/10/22
From ~/Earth/UK/England/Suffolk
Posts: 9138
|
The Ultimate Upstream Kernel Provider (The Linux Kernel Archives) has only just released the latest stable kernel incorporating GKH's patch . . .
|
||
Posted on: 2009/8/17 15:21
|
|
||
|
Re: Linux kernel vulnerability? | #20 |
|
|---|---|---|---|
|
Newbie
Joined: 2009/8/15
From
Posts: 2
|
Quote:
Also known as "a vulnerable system". If an unprivileged user is unable to get arbitrary code into page 0, the system is not vulnerable to the applicable exploits. I've bolded and italicized the key part of my post for you. And unless the user has specifically taken a normally-inadvisable action (disabling SELinux) and/or acted to ensure that the relevant modules (and no one is certain all such modules have been identified) are never loaded, there is a very high probability that their system is vulnerable. |
||
Posted on: 2009/8/17 21:21
|
|
||
 Top Previous Topic Next Topic |
|
 |
|
You cannot start a new topic.
You can view topic.