Advertisement
Guest User

Does CVE-2010-3081 affect Red Hat Enterprise Linux?

a guest
Sep 21st, 2010
179
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.12 KB | None | 0 0
  1. Issue
  2. The flaw identified by CVE-2010-3081 (Red Hat Bugzilla bug 634457) describes an issue in the 32/64-bit compatibility layer implementation in the Linux kernel, versions 2.6.26-rc1 to 2.6.36-rc4. The compat_alloc_user_space() function is missing a sanity check on the length argument, and also a check to make sure the pointer to the block of memory in user-space that the process is attempting to write to is valid. This flaw was addressed via the upstream git commit c41d68a5 for the 2.6 Linux kernel.
  3.  
  4. This function could be abused in other areas of the Linux kernel if the length argument can be controlled from user-space. A known example of this is the compat_mc_getsockopt() function for MCAST_MSFILTER that was introduced in upstream git commit 42908c69 (v2.6.26-rc1).
  5.  
  6. A local, unprivileged user could use this flaw to escalate their privileges.
  7.  
  8. Red Hat Enterprise Linux 5
  9. This issue affects the 64-bit versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, as they include a backport of the upstream git commit 42908c69, which introduced the compat_mc_getsockopt() function that a local, unprivileged user can use to abuse the compat_alloc_user_space() call to escalate their privileges.
  10.  
  11. A public exploit affecting Red Hat Enterprise Linux 5 was released for this issue to the Full Disclosure mailing list: http://www.seclists.org/fulldisclosure/2010/Sep/268
  12.  
  13. Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG
  14. The Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG kernels do not include a backport of the upstream git commit 42908c69; therefore, those kernels do not include compat_mc_getsockopt(). We plan to backport the missing compat_alloc_user_space() sanity checks in future Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG updates.
  15.  
  16. Note: Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG are not affected by the publicly-circulated exploit.
  17.  
  18. Red Hat Enterprise Linux 3
  19. Red Hat Enterprise Linux 3 is missing the length argument sanity check, but the code that uses compat_alloc_user_space() and its equivalents do not have a user-controllable length; therefore, Red Hat Enterprise Linux 3 is not affected by this issue.
  20.  
  21. Mitigation
  22. As suggested on the Full Disclosure mailing list, it is possible to temporarily mitigate this issue. However, the steps provided below are only meant for the publicly-circulated exploit - they are insufficient for completely mitigating this vulnerability. As such, we strongly encourage you to install the updated kernel packages for Red Hat Enterprise Linux 5.
  23.  
  24. As it is possible for the exploit to leave a backdoor in memory, you may wish to perform a system reboot before following the instructions below, or perform your standard incident handling procedures.
  25.  
  26. Run the following echo command as the root user to apply the mitigation. Note that this step is not persistent, and will prevent 32-bit applications from running:
  27.  
  28. # echo ':32bits:M::\x7fELF\x01::/bin/echo:' > /proc/sys/fs/binfmt_misc/register
  29.  
  30.  
  31. To make this change persistent, append the above line (without the "#" character) to /etc/rc.local. The echo command above creates the following /proc/sys/fs/binfmt_misc/32bits file:
  32.  
  33. # cat /proc/sys/fs/binfmt_misc/32bits
  34. enabled
  35. interpreter /bin/echo
  36. flags:
  37. offset 0
  38. magic 7f454c4601
  39.  
  40.  
  41. This mitigation registers a new binary type that matches the '\x7fELF\x01' magic, and invokes /bin/echo each time a 32-bit binary is executed. The magic string '\x7fELF\x01' consists of two parts, the ELF magic number (first 4 bytes) and the class (last byte). '\x01' indicates that it is a 32-bit object, while if you use '\x02', it indicates that it is a 64-bit object.
  42.  
  43. If you need to remove the mitigation, run the following command as the root user to restore the default behavior (and remove the above changes to /etc/rc.local if made):
  44.  
  45. # echo -1 > /proc/sys/fs/binfmt_misc/32bits
  46.  
  47. For more information, refer to http://www.kernel.org/doc/Documentation/binfmt_misc.txt.
  48.  
  49. Solution
  50. This issue has been fixed in Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 5.4 Extended Update Support via the Red Hat Security Advisories RHSA-2010:0704 and RHSA-2010:0705 respectively. Future updates will address this issue for Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG.
  51.  
  52. Further Assistance
  53. If you require assistance with mitigating this issue, or would like to request a hotfix, please contact Red Hat Support: https://access.redhat.com/support/contact/technicalSupport.html.
  54.  
  55. Revision History
  56. 2010-09-17: Article updated with mitigation based on the information provided on the Full Disclosure mailing list.
  57. 2010-09-20: Article updated to reflect that the provided mitigation steps are only meant for the publicly-circulated exploit, and do not provide complete mitigation of this issue.
  58. 2010-09-21: Article updated to reflect the release of the Red Hat Security Advisories RHSA-2010:0704 and RHSA-2010:0705, which fix the CVE-2010-3081 flaw for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 5.4 Extended Update Support. The article was also updated to clarify that the publicly-circulated exploit does not affect Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement