Stack Clash / Stack Guard Page vulnerability ...

Support for security such as Firewalls and securing linux
mojorisinagain
Posts: 2
Joined: 2017/06/19 20:03:44
Location: Chicago-land

Stack Clash / Stack Guard Page vulnerability ...

Post by mojorisinagain » 2017/06/19 20:26:02

As reported by Qualys (https://blog.qualys.com/securitylabs/20 ... tack-clash), Stack Clash is a memory management vulnerability. Related vulnerabilities are CVE-2017-1000364, CVE-2017-1000365, and CVE-2017-1000367, and Qualys's advisory is at https://www.qualys.com/2017/06/19/stack ... -clash.txt

Security patch time-frame?

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Stack Clash / Stack Guard Page vulnerability ...

Post by avij » 2017/06/19 21:08:23

See https://access.redhat.com/security/vuln ... stackguard

Note that CentOS rebuilds updates published by Red Hat when they become available, and the CentOS Project does not have any "inside" information about release dates or such.

wrc
Posts: 3
Joined: 2017/06/20 10:49:22

Re: Stack Clash / Stack Guard Page vulnerability ...

Post by wrc » 2017/06/20 11:24:50

Yet again I'm pulling my hair over CentOS being slow to release patches for another serious bug, which there exists patches for both upstream and for Scientific Linux (not to mention other distros like Debian).

I mean, this is priv-esc (and might be exploitable remotely), which there exists PoC exploits for in the wild.

So please, can we get some decent information/somewhat ETA?

gerhard
Posts: 2
Joined: 2017/06/20 13:14:00

Re: Stack Clash / Stack Guard Page vulnerability ...

Post by gerhard » 2017/06/20 13:23:15

@wrc As CentOS is free and the community is doing a great job, I guess there is no reason to complain about being slow.

Still, I would like to ask for an update about the patches for the Stack Clash vulnerability. From what I have read, Red Hat has released there patches already. Which from my understanding means that they can be merged into CentOS.

Red Hat announcement: https://access.redhat.com/security/vuln ... stackguard

I understand that the community might be busy working on it. I am not asking about the fix now but it would be great to get an estimate for when approximately the patches might be available.

Thanks a lot!

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Stack Clash / Stack Guard Page vulnerability ...

Post by TrevorH » 2017/06/20 13:32:52

The patches for CentOS 6 are already out and propagating to the mirrors at the moment. The CentOS 7 kernels are more complicated as they need to be signed for secure boot but should be along shortly.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

wrc
Posts: 3
Joined: 2017/06/20 10:49:22

Re: Stack Clash / Stack Guard Page vulnerability ...

Post by wrc » 2017/06/20 14:18:44

@gerhard: Yes, I do appreciate the work on CentOS (even though my initial post might seem a bit harsh), but I'd also appreciate maybe an announcement on CentOS-announce mailing list so we can schedule time for updating and rebooting hundreds of production servers. I'm just annoyed by the fact that it seems to take longer for CentOS to update when shit hits the fan and/or information being a bit lacking, when equivalent (read: Scientific Linux) does this better. They released the patches for SL6 and SL7 yesterday and announced it in their dev blog.

@TrevorH: Thank you for the update, I see the announcement hit CentOS-announce finally. Will start upgrading our CentOS 6 boxes and continue with CentOS 7 boxes after that.

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Stack Clash / Stack Guard Page vulnerability ...

Post by avij » 2017/06/20 20:35:23

CentOS 7 updates for both glibc and kernel were pushed to mirrors a few hours ago. You should now be able to yum update to get the updates.

mojorisinagain
Posts: 2
Joined: 2017/06/19 20:03:44
Location: Chicago-land

Re: Stack Clash / Stack Guard Page vulnerability ...

Post by mojorisinagain » 2017/06/20 21:30:24

Thank you ... appreciate the update!

yst1979
Posts: 3
Joined: 2017/06/21 06:21:08

Re: Stack Clash / Stack Guard Page vulnerability ...

Post by yst1979 » 2017/06/21 07:24:40

Dear all,

I have updated my system with command
yum update glibc kernel*
after this, I ran test script provided by Redhat at URL
https://access.redhat.com/security/vuln ... stackguard under Diagnose section
and the result show that the kernel is still vulnerable.

May I know if more patch for CentOS will be released or should I just gnore the return message?
Please refer the imgs, thanks in advance

script test before update
Image

script test after update
Image

gerhard
Posts: 2
Joined: 2017/06/20 13:14:00

Re: Stack Clash / Stack Guard Page vulnerability ...

Post by gerhard » 2017/06/21 07:38:54

Thanks for the update! Great work! :D

Post Reply