| |||||||||||||
Debian alert DSA-403-1 (kernel)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-403-1 security@debian.org http://www.debian.org/security/ Wichert Akkerman December 1, 2003 - ------------------------------------------------------------------------ Package : kernel-image-2.4.18-1-alpha, kernel-image-2.4.18-1-i386, kernel-source-2.4.18 Vulnerability : userland can access full kernel memory Problem type : local Debian-specific: no CVE Id(s) : CAN-2003-0961 Recently multiple servers of the Debian project were compromised using a Debian developers account and an unknown root exploit. Forensics revealed a burneye encrypted exploit. Robert van der Meulen managed to decrypt the binary which revealed a kernel exploit. Study of the exploit by the RedHat and SuSE kernel and security teams quickly revealed that the exploit used an integer overflow in the brk system call. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space. This problem was found in September by Andrew Morton, but unfortunately that was too late for the 2.4.22 kernel release. This bug has been fixed in kernel version 2.4.23 for the 2.4 tree and 2.6.0-test6 kernel tree. For Debian it has been fixed in version 2.4.18-12 of the kernel source packages, version 2.4.18-14 of the i386 kernel images and version 2.4.18-11 of the alpha kernel images. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.0 (stable) - ------------------- Source archives: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-i386_2.4.18-12.tar.gz Size/MD5 checksum: 69746 a4b642e03732748d6820524746ba2265 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18.orig.tar.gz Size/MD5 checksum: 29818323 24b4c45a04a23eb4ce465eb326a6ddf2 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-alpha_2.4.18-11.dsc Size/MD5 checksum: 874 6fe1a9a759850570f1609b77502c13bc http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-alpha_2.4.18-11.tar.gz Size/MD5 checksum: 24210 11373e2cf7e659f5a69c33f3f143fcaf http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.dsc Size/MD5 checksum: 798 14840782d3ae928fd453a7dba225bb7f http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-i386_2.4.18-12.dsc Size/MD5 checksum: 1325 a77acb0743f3d3a16c00fa1cd4520e89 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.diff.gz Size/MD5 checksum: 66878 916d16dd46c59dd4314c45e48f33f043 Architecture independent packages: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-doc-2.4.18_2.4.18-14_all.deb Size/MD5 checksum: 1710438 5e6cb496150391a93558652c97fb214b http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14_all.deb Size/MD5 checksum: 23903282 9d5cb5159bf76451dd32e75467ca6240 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-headers-2.4.18-1-smp_2.4.18-11_alpha.deb Size/MD5 checksum: 3514858 ec88046377537587469e5527f3633c65 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-headers-2.4.18-1_2.4.18-11_alpha.deb Size/MD5 checksum: 3362836 f91eb5ef18c3413ae200c5b1679264cc http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-headers-2.4.18-1-generic_2.4.18-11_alpha.deb Size/MD5 checksum: 3512244 a46de1359655b3a05c99cd8211edd41f http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-smp_2.4.18-11_alpha.deb Size/MD5 checksum: 12799424 966ecceeb16c5bf87cc31b9178d6add9 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-generic_2.4.18-11_alpha.deb Size/MD5 checksum: 12425696 27b4defd9326ed5bac3a765977437354 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-k7_2.4.18-12_i386.deb Size/MD5 checksum: 8863312 17a9c0323f06ed3eda1d17bdaf443d50 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-k7_2.4.18-12_i386.deb Size/MD5 checksum: 230194 9e347c03ffaf24762ec8ad86f3c3c482 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-386_2.4.18-12_i386.deb Size/MD5 checksum: 8797832 00ab7c9bf64614112684e60595e1fe30 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-686-smp_2.4.18-12_i386.deb Size/MD5 checksum: 230960 8ba2a811fb753a4b5083254c5ab402c2 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-686_2.4.18-12_i386.deb Size/MD5 checksum: 227302 63e4524d17cb0dcf34774637293d2700 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-586tsc_2.4.18-12_i386.deb Size/MD5 checksum: 3525452 7f0208aa3bc2e9974590839d141c4ca3 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-686-smp_2.4.18-12_i386.deb Size/MD5 checksum: 3527346 6b321ce7efdc5d1f641ca4e14db1807e http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-386_2.4.18-12_i386.deb Size/MD5 checksum: 228266 e05c768db8f79e76db1dbf39200075cc http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-586tsc_2.4.18-12_i386.deb Size/MD5 checksum: 227834 3799038b55f03ea7fcacef73e50a7b02 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-586tsc_2.4.18-12_i386.deb Size/MD5 checksum: 8704448 f8531f0d6173228a2f952e4ca80ee618 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-386_2.4.18-12_i386.deb Size/MD5 checksum: 3524656 c40e3230e071e5917f3c82ef8d8a3b79 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-k6_2.4.18-12_i386.deb Size/MD5 checksum: 8661138 121c4860a88e6e0ef84941b044e655ee http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-k6_2.4.18-12_i386.deb Size/MD5 checksum: 226934 f29016331da939466d99fde7e6dbf0c4 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1_2.4.18-12_i386.deb Size/MD5 checksum: 3431968 37d14ba3820e331c7701c6dbc65440c7 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-686_2.4.18-12_i386.deb Size/MD5 checksum: 3525938 0b4f3c22d96777bd95673e8c6ceb45a9 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-k7_2.4.18-12_i386.deb Size/MD5 checksum: 3525194 89b06e76e46487a2708317a7d2643519 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-686-smp_2.4.18-12_i386.deb Size/MD5 checksum: 8960026 e01cd0b938c75a247cc111855632934c http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-k6_2.4.18-12_i386.deb Size/MD5 checksum: 3524794 43c7a34c6428e7d79fb660b4a434aaae http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-686_2.4.18-12_i386.deb Size/MD5 checksum: 8703034 a6d0829412575a9f7e6c227c5275a47b - -- - ---------------------------------------------------------------------------- Debian Security team <team@security.debian.org> http://www.debian.org/security/ Mailing-List: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/y6HGPLiSUC+jvC0RAnd9AKCKvn969KiqvmErdGNv1iJSgzTVxwCbBkWB IZdDr8fKKloX6PSe+tPOW68= =nGzM -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html (Log in to post comments)
kernel 2.2 vulnerable? Posted Dec 1, 2003 14:28 UTC (Mon) by cdamian (subscriber, #1271) [Link] I would like to know wheter linux kernel 2.2 is vulnerable
kernel 2.2 vulnerable? Solar says no Posted Dec 1, 2003 20:41 UTC (Mon) by log2 (guest, #10024) [Link] http://openwall.com/Owl/CHANGES-current.shtml"Linux 2.2.x kernels are not affected"
kernel 2.2 vulnerable? Posted Dec 2, 2003 2:01 UTC (Tue) by kasperd (guest, #11842) [Link] I wrote some exploit code for the 2.4 kernel, it didn't work on 2.2.Looks like 2.2 didn't have this vulnurability.
No protection from SELinux/-CAP_SYS_RAWIO/grsecurity/whatever Posted Dec 1, 2003 14:34 UTC (Mon) by walters (subscriber, #7396) [Link] Note that not even a security framework like SELinux or RSBAC will protect you against this exploit; nor will exec-shield or PaX. Everyone should upgrade ASAP.I have a feeling we're going to be dealing with the repercussions of this for some time.
No protection from SELinux/-CAP_SYS_RAWIO/grsecurity/whatever Posted Dec 1, 2003 14:48 UTC (Mon) by ncm (subscriber, #165) [Link] I don't think a chroot jail would have helped, either. (Not that regular user accounts are commonly jailed.)I wonder if this intrusion was done specifically to vent frustration that this bug/fix was not taken as sufficient to justify an immediate 2.4 release on its own merits, or that Debian didn't pick it up ahead of the 2.4.23 release. If so, it might have been a Debian developer acting, and not somebody who had hijacked his account. That would be a Good Thing, because otherwise some Debian developer's personal account somewhere is still compromised.
No protection from SELinux/-CAP_SYS_RAWIO/grsecurity/whatever Posted Dec 1, 2003 19:45 UTC (Mon) by hmh (subscriber, #3838) [Link] I won't even comment on the morals implied in your reply.Anyway yes, the account of one DD WAS compromised, and yes, he knows, Actually, most of us took the opportunity to do a major security spring
Drawback of stable kernel development Posted Dec 1, 2003 14:41 UTC (Mon) by Felix.Braun (subscriber, #3032) [Link] This is appears to be the drawback of Marcelo's very stable way of maintaining the 2.4 kernel. If a fix does not make it into one release, the official kernel sources will be vulnerable for a couple of months. Of course, in theory nobody should have to run a vanilla kernel. Yet, in practice this seems to be quite common.
Drawback of stable kernel development Posted Dec 1, 2003 15:17 UTC (Mon) by stuart (subscriber, #623) [Link] Given that non-vanilla (distributor) kernels are quite likely to be vulnerable to this problem, it makes little difference in this example.Stu.
Drawback of stable kernel development Posted Dec 1, 2003 15:18 UTC (Mon) by miekg (subscriber, #4403) [Link] Well, the did use pre-releases for .22. So they could just as easily have upgraded to the latest .23 pre-release when it came available.I'm also glad it turned out to be a known exploit.
Drawback of stable kernel development Posted Dec 1, 2003 15:24 UTC (Mon) by southey (subscriber, #9466) [Link] Actually I am glad that it was not a remote exploit - known or unknown!
sysadmin's mistake Posted Dec 1, 2003 16:13 UTC (Mon) by xose (guest, #535) [Link] Sorry guy. But it's not a Marcelo's mistake. Kernel hackers recomends to stay with latest distribution kernels. Otherwise you will have to check linux-kernelevery day to know if a 'stable' kernel has some critical bug.
sysadmin's mistake Posted Dec 1, 2003 16:38 UTC (Mon) by huaz (guest, #10168) [Link] Sorry but it's just an excuse. What's maintainer's job, if not applying seruciry fixes as soon as possible?It's the job of whoever releases a kernel, Marcelo being the most important one.
sysadmin's mistake Posted Dec 2, 2003 13:07 UTC (Tue) by xose (guest, #535) [Link] You are free to download in realtime latest patches applied to the kernel: http://kernel.org/pub/linux/kernel/v2.4/testing/cset/
Release managers' mistake Posted Dec 1, 2003 16:47 UTC (Mon) by bgilbert (subscriber, #4738) [Link] You're confusing reality with good practice. It's true that if you want to know about security problems in the current stable kernel, you have to read lkml. The reason is that none of the kernel release managers seem to care about security*. Through the 2.2 series, security issues tended to prompt new kernel releases in fairly short order; this theory of "if you care about security, read lkml or run a kernel released by someone who gives a damn" is recent and wrong. Vanilla kernels are kernels in their own right; they're not just a bunch of code which is provided to vendors solely as a starting point for a real system. More than that, they're the only kernels backed by Linus and company; no one cares about vendor kernels except for one vendor and its user base. And so, the end result of the security apathy of Alan and the others is that the most recent official release of Linux 2.4 contained a local root exploit for three months. Does anyone really believe this to be acceptable? * The most prominent recent example: Alan's fix to the ptrace bug broke a number of other things, but once the code was written no one was particularly interested in fixing it.
Release managers' mistake Posted Dec 2, 2003 0:27 UTC (Tue) by Ross (subscriber, #4065) [Link] I certainly agree with you and I had similar feelings with delayed security(and ext3 corruption) fixes for other 2.4 releases and missing security patches in 2.6 which are present in 2.4.
Release managers' mistake Posted Dec 2, 2003 2:44 UTC (Tue) by wichert (subscriber, #7115) [Link] Kernel release managers definitely care about security and kernel security are always discussed by vendors and the relevant kernel folks. In this case the fix had been known for a while, but nobody realised just how dangerous this bug was. With a project as complicated and filled with subtleties that is not all that unexpected.Your example of Alan's fix for the ptrace bug actually is a fine counterexample of your suggestion that kernel maintainers do not care about security: it was quickly fixed even though the fix broke a few things. Alan fixed the ptrace hole quickly to fix the security problem and relied on others to fix the fallout while he could focus on more pressing issues.
Release managers' mistake Posted Dec 2, 2003 5:41 UTC (Tue) by hppnq (subscriber, #14462) [Link] Plus, IIRC Alan was very much involved with 2.2, which sort of makes the whole statement moot. ;-)And of course it is the responsibility of sysadmins to apply patches or fix problems if necessary. Waiting for the next release is just not good enough, sometimes.
sysadmin's mistake Posted Dec 2, 2003 2:47 UTC (Tue) by cbcbcb (guest, #10350) [Link] Except that several distributions didn't know about this bug (Trustix and Mandrake have only just patched this since debian released this info). I read lkml every day, and I don't remember seeing this bug either. I hope that Andrew Morton does a better job of publishing security fixes for 2.6
sysadmin's mistake Posted Dec 2, 2003 8:07 UTC (Tue) by cate (subscriber, #1359) [Link] (Trustix and Mandrake have only just patched this since debian released this info)Security issue aren't handled so. Surely Debian has advised few day ago other distribution about the vulnerability. Debian attack was made between november 20 and 21. CVE set the vulnerability number on november 26 (by RedHat). According RedHat bugs, the bug it is disclosed only today (December the first), but already know and corrected. Surelly most of the distribution have patched and corrected the kernel before the official debian annonce. Maybe they are late in annoncing it, or LWN have not yet updated the security annonces. For sure, before a security annonce is made, few people of major distributions know about the problem and prepare the patches. I read lkml every day, and I don't remember seeing this bug either. AFAIK nobody knew about root exploit before the attack to debian machines (but naturally some crakers). The error in kernel seemed inofensive.
sysadmin's mistake Posted Dec 2, 2003 10:07 UTC (Tue) by cbcbcb (guest, #10350) [Link] > Surelly most of the distribution have patched and corrected the> kernel before the official debian annonce. Not all of them. That was the point of my post. Look at the date in: http://lwn.net/Articles/60813/
|
|||||||||||||