Weekly Edition
Return to the Front page
| |||||||||||||
Distribution security response timesTwo high-profile kernel bugs—with publicly released exploits—have recently been making news. Both can be used by local attackers to gain root privileges, which makes them quite dangerous for systems that allow untrusted users to log in, but they might also be used in conjunction with other flaws to produce a remote root exploit. They are, in short, just the kinds of vulnerabilities that most system administrators would want to patch quickly, so a look at how distributions have responded seems warranted. The vulnerabilities lie in the x86_64 compatibility layer that allows 32-bit binaries to be run on 64-bit systems (see the Kernel page article for more details). In particular, that code allows 32-bit programs to make system calls on a 64-bit kernel. One of the bugs, CVE-2010-3301, was reintroduced into the kernel in April 2008, seven months after being fixed as CVE-2007-4573. The second, CVE-2010-3081, was discovered in the process of finding the first, and had been in the kernel since 2.6.26, which was released in July 2008. Obviously, these are long-standing kernel holes that may have been available to attackers for as long as two-and-a-half years. In fact, a posting on the full-disclosure mailing lists claims that CVE-2010-3081 was known by a shadowy group called "Ac1db1tch3z" since the code causing the bug was committed in April 2008. Included in the post was a working exploit. Ben Hawkes found and reported both of the vulnerabilities and fixes for both were quickly committed to the mainline kernel. Both were committed on September 14, but it is clear that at least CVE-2010-3081 was known a week earlier. Stable kernels were released on September 20, and some distributions had fixes out on September 17. While enterprise kernels (e.g. RHEL, SLES) tend to be based on fairly old kernels (RHEL 5 is 2.6.18-based, while SLES 11 is 2.6.27-based), the distributors often backport features from newer kernels. Unsurprisingly, that can sometimes lead to backporting bugs along with the features. For RHEL, that meant that it was vulnerable to CVE-2010-3081 even though that code came into the kernel long after 2.6.18. On September 21, Red Hat issued updates for RHEL 5 and 5.4 to fix that problem. CentOS, which necessarily lags RHEL by at least a few hours, has a fix for CVE-2010-3081 available for CentOS 5 now as well. For SLES, the situation is a little less clear. Based on its kernel version, it should be vulnerable to both flaws, but no updates have been issued as of this writing. In a separate advisory on September 21, SUSE noted (in the "Pending Vulnerabilities ..." section) that it was working on fixes for both. For the more community-oriented distributions (Debian, Fedora, openSUSE, Ubuntu, and others), the response has been somewhat mixed. Ubuntu, Debian, and Fedora had fixes out on September 17 for both bugs (or, in the case of Debian, just one, as its stable distribution ("Lenny") is based on 2.6.26 and thus not vulnerable CVE-2010-3301). openSUSE has yet to release a fix and none of the secondary distributions that we track (Gentoo, Mandriva, Slackware, etc.) has put out a fix either. How quickly can users and administrators expect security fixes? The enterprise vendors, who are typically more cautious before issuing an update, took a week or more to get fixes in the hands of their users. Meanwhile, exploits have been published and have been used in the wild. That has to make a lot of system administrators very nervous. Those running SUSE-based systems must be even more worried. A one-week delay (or more depending on where you start counting) may not seem like a lot of time, but for critical systems, with lots of sensitive data, it probably seems pretty long. Local privilege escalation flaws are often downplayed because they require a local user on the system to be useful. But that thinking has some flaws of its own. On even a locked-down system, with only trusted users being able to log in, there may be ways for local exploits to be turned into remote exploits. Compromised user accounts might be one way for an attacker to access the system, but there is a far more common route: network services. One badly written, or misconfigured, web application, for example, might provide just the hole that an attacker needs to get their code running on the system. Once that happens, they can use a local privilege escalation to compromise the entire system—and all the data it holds. Since many servers sit on the internet and handle lots of web and other network traffic, compromising a particular, targeted system may not be all that challenging to a dedicated attacker. Using a "zero day" vulnerability in a widely deployed web application might make a less-targeted attack (e.g. by script kiddies) possible as well. While most of the "big four" community distributions were quick to get out updates for these problems, they still left a window that attackers could have exploited. That is largely unavoidable unless there were embargoes enforced on sensitive patches flowing into the mainline kernel—something that Linus Torvalds has always been opposed to. Then, of course, there is the (much larger) window available to those who closely track kernel development and notice these bugs as they get introduced. That is one of the unfortunate side-effects of doing development in the open. While it allows anyone interested to look at the code, and find various bugs—security or otherwise—it does not, cannot, require that those bugs get reported. We can only hope that enough "white hat" eyes are focused on the code to help outweigh the "black hat" eyes that are clearly scrutinizing it. For distributors, particularly Red Hat and Novell, it may seem like these flaws are not so critical that the fixes needed to be fast-tracked. Since there are, presumably, no known, unpatched network service flaws in the packages they ship, a local privilege escalation can be thwarted by a more secure configuration (e.g. no untrusted users on critical systems). While true in some sense, it may not make those customers very happy. There are also plenty of systems out there with some possibly untrusted users. Perhaps they aren't the most critical systems, but that doesn't mean their administrators want to turn them over to attackers. It really seems like updates should have come more quickly in this case, at least for the enterprise distributions. As we have seen, a reputation for being slow to fix security problems is a hard one to erase; hopefully it's not a reputation that Linux is getting. (Log in to post comments)
Distribution security response times Posted Sep 23, 2010 5:39 UTC (Thu) by brouhaha (subscriber, #1698) [Link] Ubuntu, Debian, and Fedora had fixes out on September 17 for both bugsUnless you're counting the testing repository, Fedora's fix for CVE-2010-3081 was not available until September 21. Since most users don't use the testing repository, I think September 21 is the appropriate day to say that Fedora "had fixes out". I don't track Ubuntu and Debian, so I'm not sure how they compare regarding general availability of their fixes.
Third party web applications + privilege escalation Posted Sep 23, 2010 8:01 UTC (Thu) by Cato (subscriber, #7643) [Link]
Vulnerabilities of this severity should certainly be fixed faster, particularly for shared web hosts or VPSs with more than one site. Users will often install a web application such as WordPress or Joomla, which itself enables installation via a web console of third party plugins/extensions that often have security holes, and neither the web app or the plugins are systematically kept up to date by many people. Many users of these apps know nothing about Linux, installing the app via a control panel and the plugins via the app.
The result is that a single web app on a shared server with a single vulnerable plugin can result in the whole server being compromised.
Distribution security response times Posted Sep 23, 2010 10:08 UTC (Thu) by DaveK (subscriber, #2531) [Link] "Since there are, presumably, no known, unpatched network service flaws in the packages they ship, ..." Which is an interesting situation for the users to be in given that until the last week or so there were no 'known' unpatched flaws in the kernel packages they ship.
Distribution security response times Posted Sep 23, 2010 10:53 UTC (Thu) by jengelh (subscriber, #33263) [Link]
>For SLES, the situation is a little less clear.
man@centaur:~> cat /etc/SuSE-release
No root.
Distribution security response times Posted Sep 23, 2010 11:37 UTC (Thu) by wookey (subscriber, #5501) [Link]
ooh, that hurts my eyes. Is leet-script really still cool?
Distribution security response times Posted Sep 23, 2010 11:55 UTC (Thu) by nix (subscriber, #2304) [Link]
If you are a teenager, perhaps. (Personally I was fond of good typesetting even then, being quite capable of producing unreadable gibberish merely by putting pen to paper: so producing it intentionally didn't seem so attractive. I wonder if the author of this exploit has copperplate handwriting? :) )
Distribution security response times Posted Sep 23, 2010 13:03 UTC (Thu) by jengelh (subscriber, #33263) [Link]
However, the testcase on http://sota.gen.nz/compat2/ does affect said kernel.
Exploit fails =/> not vulnerable Posted Sep 23, 2010 15:50 UTC (Thu) by price (subscriber, #59790) [Link] You can never rely on an exploit failing to tell you that a system is not vulnerable -- it may fail for some dumb reason that a skilled attacker could fix. Novell says "SUSE Linux Enterprise Server 9, 10, 11, all service packs, and also openSUSE 11.1 - 11.3" are all affected. I don't have a SUSE machine handy, nor SUSE kernel sources, so I can't confirm what the story is -- they may just mean they're in the same boat as RHEL 4, where they don't have compat_mc_getsockopt() but there may be other compat_alloc_user_space() call sites that are vulnerable. That'd take some real work to exploit, if it's possible at all. But I'd bet that at least the newer releases do have compat_mc_getsockopt() and are vulnerable (before yesterday's update), and that it wouldn't be too hard to modify ABftw.c to work.
Distribution security response times Posted Sep 23, 2010 12:33 UTC (Thu) by mpagano (subscriber, #46586) [Link]
Gentoo released the following kernels on 9/21/2010, which contained the fix:
gentoo-sources-2.6.32-r18
Distribution security response times Posted Sep 23, 2010 14:21 UTC (Thu) by pzb (subscriber, #656) [Link] For SLES, the situation is a little less clear. Based on its kernel version, it should be vulnerable to both flaws, but no updates have been issued as of this writing. Updates for SLES9, SLES10, and SLES11 came out on September 22, probably just a little late for this article.
Distribution security response times Posted Sep 23, 2010 18:03 UTC (Thu) by kees (subscriber, #27264) [Link]
I think it's a bit of an over-sight that the article doesn't consider Ubuntu as an "Enterprise" distribution. It's used just like other distros with "Enterprise" in their name, especially the Ubuntu Long Term Support releases.
I'm pretty surprised that the other distros besides Ubuntu and Debian took at least 4 extra days to get these critical fixes published. But more than that, I'm terribly disappointed in the upstream handling of these problems. While blackhats following kernel development closely might be finding vulnerabilities, enabling any script-kiddie in the world to gain local root privileges is seriously irresponsible. These weren't unclear fixes; upstream knew these were critical issues, and they didn't bother to create a coordinated release with the distros, leaving Linux users vulnerable to the response times of their selected distro kernel teams.
If upstream had bothered to even suggest a 1 week embargo, every single distribution would have had updates ready, leaving the window of vulnerability to script kiddies closed. I think it's negligent that they don't even follow their own documented policies on disclosure. Since the issues were not public, they should have gone with a week:
Slackware response Posted Sep 23, 2010 20:06 UTC (Thu) by roelofs (guest, #2599) [Link] none of the secondary distributions that we track (Gentoo, Mandriva, Slackware, etc.) has put out a fix either.Slackware's was released yesterday by 1:30pm US/Pacific, several hours earlier than the LWN weekly edition:
Date: Wed, 22 Sep 2010 13:27:24 -0700 (PDT) From: Slackware Security Team <security slackware com> To: slackware-security slackware com Subject: [slackware-security] 64-bit kernel (SSA:2010-265-01) Even given the 1.5-hour delivery delay (to my account, anyway), it seems like the article could have been updated accordingly. Greg
Slackware response Posted Sep 25, 2010 16:52 UTC (Sat) by BradReed (subscriber, #5917) [Link]
Although it was nice to see that Pat issued a security fix, I haven't used a distro kernel on my Slackware systems in ages. The first thing I do is rebuild to suit the hardware I'm on. Once I do that, I feel it is on me to keep my kernel up-to-date.
Distribution security response times Posted Sep 26, 2010 4:47 UTC (Sun) by ras (subscriber, #33059) [Link]
> For distributors, particularly Red Hat and Novell,
> it may seem like these flaws are not so critical > that the fixes needed to be fast-tracked.
Given that every index page (index.html, and cousins) was overwritten in a mass defacement on my hosting provider on the 19th, I'd say they disagree. They said they were running RedHat EL, and were bemoaning the fact that RedHat still hadn't released a patch when I spoke to them 24 hours later. In the mean time they had developed a work around by developing their own ksplice patch.
The poor buggers said they could restore what was lost in a few hours. At some time later it dawned restore 2Tb of tiny files was going to take more than just a few hours, and in the end it took a few days. The guy I spoke to hadn't been to sleep since it happened.
|
|||||||||||||