Remember to be especially aware if you have systems that can potentially have code uploaded and run (ftp to httpd vhost or improper php config and file ownership/permissions).
This does not affect el5 ... an el6 update is pending.
On 2014-05-12, James Hogarth james.hogarth@gmail.com wrote:
This does not affect el5 ... an el6 update is pending.
Are there any mitigation steps we can take? I've chased down some of the links looking for any, but haven't had success yet.
--keith
On Mon, May 12, 2014 at 11:23 AM, Keith Keller kkeller@wombat.san-francisco.ca.us wrote:
On 2014-05-12, James Hogarth james.hogarth@gmail.com wrote:
This does not affect el5 ... an el6 update is pending.
Are there any mitigation steps we can take? I've chased down some of the links looking for any, but haven't had success yet.
According to the upstream BZ 1094232, there is a patch from kernel.org:
https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git/commit/?h=tty-li...
The file to patch in the RHEL/CentOS kernel seems to be drivers/char/n_tty.c
If the next kernel update does not have the fix, I can add it to the centosplus kernel.
Akemi
On 2014-05-12, Akemi Yagi amyagi@gmail.com wrote:
According to the upstream BZ 1094232, there is a patch from kernel.org:
https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git/commit/?h=tty-li...
Actually, I was wondering about mitigation along the lines of blacklisting a module, tuning a sysctl parameter, or some other mitigation that wouldn't require a new kernel. Perhaps such mitigation isn't even possible with this issue.
--keith
On 12 May 2014 22:15, "Keith Keller" kkeller@wombat.san-francisco.ca.us wrote:
Actually, I was wondering about mitigation along the lines of blacklisting a module, tuning a sysctl parameter, or some other mitigation that wouldn't require a new kernel. Perhaps such mitigation isn't even possible with this issue.
Yeah I've not seen any mitigations that would work for CentOS.
I wonder if a systemtap module would be feasible like that one a few months or so ago.
For the time being I guess that doubly vigilant is important.
On 12/05/14 22:11, Keith Keller wrote:
On 2014-05-12, Akemi Yagi amyagi@gmail.com wrote:
According to the upstream BZ 1094232, there is a patch from kernel.org:
https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git/commit/?h=tty-li...
Actually, I was wondering about mitigation along the lines of blacklisting a module, tuning a sysctl parameter, or some other mitigation that wouldn't require a new kernel. Perhaps such mitigation isn't even possible with this issue.
--keith
Not specific to this issue, but you might like to look at TPE (kmod-tpe) available at elrepo.org.
http://elrepo.org/tiki/kmod-tpe
Trusted Path Execution (TPE) is a kernel module that prevents users from executing programs that are not owned by root, or are writable. This effectively blocks users (or compromised accounts) from executing code to exploit vulnerabilities such as this.
For example, taken from the README:
* Trusted Path Execution; deny execution of non-root owned or writable binaries
$ gcc -o exploit exploit.c $ chmod 755 exploit $ ./exploit -bash: ./exploit: Permission denied
$ dmesg | tail -n1 [tpe] Denied untrusted exec of /home/corey/exploit (uid:500) by /bin/bash (uid:500), parents: /usr/sbin/sshd (uid:500), /usr/sbin/sshd (uid:0), /sbin/init (uid:0). Deny reason: directory uid not trusted
Am 12.05.2014 um 20:58 schrieb Akemi Yagi amyagi@gmail.com:
On Mon, May 12, 2014 at 11:23 AM, Keith Keller
Are there any mitigation steps we can take? I've chased down some of the links looking for any, but haven't had success yet.
According to the upstream BZ 1094232, there is a patch from kernel.org:
https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git/commit/?h=tty-li...
The file to patch in the RHEL/CentOS kernel seems to be drivers/char/n_tty.c
If the next kernel update does not have the fix, I can add it to the centosplus kernel.
Hi Akemi,
this would be great - can we push this out? Upstream is delayed (for such vuln).
-- Thanks LF
On Tue, May 13, 2014 at 2:05 AM, Leon Fauster leonfauster@googlemail.com wrote:
Am 12.05.2014 um 20:58 schrieb Akemi Yagi amyagi@gmail.com:
On Mon, May 12, 2014 at 11:23 AM, Keith Keller
Are there any mitigation steps we can take? I've chased down some of the links looking for any, but haven't had success yet.
According to the upstream BZ 1094232, there is a patch from kernel.org:
https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git/commit/?h=tty-li...
The file to patch in the RHEL/CentOS kernel seems to be drivers/char/n_tty.c
If the next kernel update does not have the fix, I can add it to the centosplus kernel.
Hi Akemi,
this would be great - can we push this out? Upstream is delayed (for such vuln).
It would help if you file an RFE at http://bugs.centos.org under the category "CentOS-6-Plus".
Akemi
"This issue does not affect the versions of Linux kernel packages as shipped with Red Hat Enterprise Linux 6.4 EUS and Red Hat Enterprise Linux 6, because they include backport of upstream commit c56a00a165 that mitigates this issue."
2014-05-12 21:13 GMT+03:00 James Hogarth james.hogarth@gmail.com:
Remember to be especially aware if you have systems that can potentially have code uploaded and run (ftp to httpd vhost or improper php config and file ownership/permissions).
This does not affect el5 ... an el6 update is pending.
https://access.redhat.com/security/cve/CVE-2014-0196 _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Am 15.05.2014 um 07:23 schrieb Eero Volotinen eero.volotinen@iki.fi:
2014-05-12 21:13 GMT+03:00 James Hogarth james.hogarth@gmail.com:
Remember to be especially aware if you have systems that can potentially have code uploaded and run (ftp to httpd vhost or improper php config and file ownership/permissions).
This does not affect el5 ... an el6 update is pending.
"This issue does not affect the versions of Linux kernel packages as shipped with Red Hat Enterprise Linux 6.4 EUS and Red Hat Enterprise Linux 6, because they include backport of upstream commit c56a00a165 that mitigates this issue."
cite: "This issue does affect the versions of the Linux kernel packages as shipped with Red Hat Enterprise Linux 6.2 AUS, Red Hat Enterprise Linux 6.3 EUS and Red Rat Enterprise MRG 2, and we are currently working on corrected kernel packages that address this issue."
-- LF
On 05/15/2014 09:22 PM, Leon Fauster wrote:
cite: "This issue does affect the versions of the Linux kernel packages as shipped with Red Hat Enterprise Linux 6.2 AUS, Red Hat Enterprise Linux 6.3 EUS and Red Rat Enterprise MRG 2, and we are currently working on corrected kernel packages that address this issue."
That should not be an issue for CentOS as CentOS does not support old point releases. The simple answer is if you update to the latest 6.x you are not vulnerable.
RedHat has to address this because they do have support for staying on a particular point release.
Peter
Am 15.05.2014 um 12:31 schrieb Peter peter@pajamian.dhs.org:
On 05/15/2014 09:22 PM, Leon Fauster wrote:
cite: "This issue does affect the versions of the Linux kernel packages as shipped with Red Hat Enterprise Linux 6.2 AUS, Red Hat Enterprise Linux 6.3 EUS and Red Rat Enterprise MRG 2, and we are currently working on corrected kernel packages that address this issue."
That should not be an issue for CentOS as CentOS does not support old point releases. The simple answer is if you update to the latest 6.x you are not vulnerable.
RedHat has to address this because they do have support for staying on a particular point release.
Peter, sure I am with you. Anyway, to complete the big picture its just an additional information and BTW I know people staying on older point releases for various reasons. There are several scenarios in the wild :-)
-- LF
Am 15.05.2014 um 11:22 schrieb Leon Fauster leonfauster@googlemail.com:
Am 15.05.2014 um 07:23 schrieb Eero Volotinen eero.volotinen@iki.fi:
2014-05-12 21:13 GMT+03:00 James Hogarth james.hogarth@gmail.com:
Remember to be especially aware if you have systems that can potentially have code uploaded and run (ftp to httpd vhost or improper php config and file ownership/permissions).
This does not affect el5 ... an el6 update is pending.
"This issue does not affect the versions of Linux kernel packages as shipped with Red Hat Enterprise Linux 6.4 EUS and Red Hat Enterprise Linux 6, because they include backport of upstream commit c56a00a165 that mitigates this issue."
cite: "This issue does affect the versions of the Linux kernel packages as shipped with Red Hat Enterprise Linux 6.2 AUS, Red Hat Enterprise Linux 6.3 EUS and Red Rat Enterprise MRG 2, and we are currently working on corrected kernel packages that address this issue."
https://rhn.redhat.com/errata/RHSA-2014-0512.html
-- LF
-
Akemi Yagi -
Eero Volotinen -
James Hogarth -
Keith Keller -
Leon Fauster -
Ned Slider -
Peter