Thunderbird, FireFox and WebKit vulnerabilities fixed on Ubuntu and Fedora
Ubuntu has announced that security vulnerabilities affecting WebKit libraries have been fixed and users are encouraged to upgrade. The announcement can be found at http://www.ubuntu.com/usn/usn-1195-1/ If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of
service attacks, and arbitrary code execution. WebKit is a web content engine, derived from KHTML and KJS from KDE, and used primarily in Apple's Safari browser. It is made to be embedded in other applications, such as mail readers, or web browsers.
Fedora released a new version of FireFox and Thunderbird that fixes multiple security vulnerabilities. The details can be found at http://lists.fedoraproject.org/pipermail/package-announce/2011-August/064383.html
Friday, May 20, 2011
glibc vulnerability - privilege escalation
This is an announcement that should have been posted when it was sent to the site security contact in April. Posting now to make sure it's included on the blog for everyone.
In coordination with the EGI CSIRT team.
Title: HIGH risk glibc vulnerability - privilege escalation
(CVE-2011-0536) [EGI-ADV-20110412]
Date: April 12, 2011
Last update: April 12, 2011
URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/glibc-2011-04-12
Introduction
============
A flaw has been found in the dynamic linker component of the GNU
C library. A local attacker could use this flaw to escalate their
privileges via a setuid or setgid program which is dynamically linked
to a library with certain properties.
This vulnerability affects both RH5 and RH6 and their variants.
EGI CSIRT considers this to be a HIGH vulnerability for now and might
raise it to CRITICAL if a working exploit is made public
Details
=======
The fix for CVE-2010-3847 introduced a regression in the way the dynamic
loader expanded the $ORIGIN dynamic string token specified in the RPATH and
RUNPATH entries in the ELF library header. A local attacker could use this
flaw to escalate their privileges via a setuid or setgid program using
such a library. (CVE-2011-0536)
RH security team confirmed that reporter (of this vulnerability)
indicated an intention to make exploit public after waiting some time
to give users and downstream distros an opportunity to pick up the fix.
Mitigation
==========
The only known mitigation is to apply the security patch from the software
vendor.
Recommendations
===============
It is STRONGLY recommended to immediately apply vendor patches when they
become available.
Vendor patches are now available from
* Ubuntu
* Debian
* RHEL5/6
* SL5/6
To be released:
* CentOS5/6
References
==========
RedHat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0536
RHEL5 update:
https://rhn.redhat.com/errata/RHSA-2011-0412.html
RHEL6 update:
https://rhn.redhat.com/errata/RHSA-2011-0413.html
SL5/6 update:
http://listserv.fnal.gov/scripts/wa.exe?A2=ind1104&L=scientific-linux-errata
&T=0&P=583
SLC5 update:
http://linux.web.cern.ch/linux/updates/updates-slc5.shtml
SLC6 update:
http://linux.web.cern.ch/linux/updates/updates-slc6.shtml
Debian update:
http://lists.debian.org/debian-security-announce/2011/msg00005.html
Ubuntu update:
https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-January/0012
26.html
Regards,
Mingchao, EGI CSIRT security officer on duty
In coordination with the EGI CSIRT team.
Title: HIGH risk glibc vulnerability - privilege escalation
(CVE-2011-0536) [EGI-ADV-20110412]
Date: April 12, 2011
Last update: April 12, 2011
URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/glibc-2011-04-12
Introduction
============
A flaw has been found in the dynamic linker component of the GNU
C library. A local attacker could use this flaw to escalate their
privileges via a setuid or setgid program which is dynamically linked
to a library with certain properties.
This vulnerability affects both RH5 and RH6 and their variants.
EGI CSIRT considers this to be a HIGH vulnerability for now and might
raise it to CRITICAL if a working exploit is made public
Details
=======
The fix for CVE-2010-3847 introduced a regression in the way the dynamic
loader expanded the $ORIGIN dynamic string token specified in the RPATH and
RUNPATH entries in the ELF library header. A local attacker could use this
flaw to escalate their privileges via a setuid or setgid program using
such a library. (CVE-2011-0536)
RH security team confirmed that reporter (of this vulnerability)
indicated an intention to make exploit public after waiting some time
to give users and downstream distros an opportunity to pick up the fix.
Mitigation
==========
The only known mitigation is to apply the security patch from the software
vendor.
Recommendations
===============
It is STRONGLY recommended to immediately apply vendor patches when they
become available.
Vendor patches are now available from
* Ubuntu
* Debian
* RHEL5/6
* SL5/6
To be released:
* CentOS5/6
References
==========
RedHat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0536
RHEL5 update:
https://rhn.redhat.com/errata/RHSA-2011-0412.html
RHEL6 update:
https://rhn.redhat.com/errata/RHSA-2011-0413.html
SL5/6 update:
http://listserv.fnal.gov/scripts/wa.exe?A2=ind1104&L=scientific-linux-errata
&T=0&P=583
SLC5 update:
http://linux.web.cern.ch/linux/updates/updates-slc5.shtml
SLC6 update:
http://linux.web.cern.ch/linux/updates/updates-slc6.shtml
Debian update:
http://lists.debian.org/debian-security-announce/2011/msg00005.html
Ubuntu update:
https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-January/0012
26.html
Regards,
Mingchao, EGI CSIRT security officer on duty
Tuesday, November 23, 2010
Various vulnerability notices and updates
There is a vulnerability in the libsdp package which is used to enablean
application to communicate over the Infiniband SDP protocol instead of
ordinary TCP:
https://bugzilla.redhat.com/show_bug.cgi?id=647941
Sites that use infiniband will want to look at the measures in the
notification above.
Updated openssl packages that fix one security issue are now available for
Red Hat Enterprise Linux 6.
https://www.redhat.com/security/data/cve/CVE-2010-3864.html
https://rhn.redhat.com/errata/RHSA-2010-0888.html
Updated systemtap packages that fix two security issues are now available
for Red Hat Enterprise Linux 5 and 6.
https://rhn.redhat.com/errata/RHSA-2010-0894.html
There is a security vulnerability in PGP Desktop versions 10.0.3 and
earlier, as well as the upcoming 10.1 release. This vulnerability
may allow someone to spoof emails signed by the OSG security team.
For OSG users who use this version there is a knowledge base page,
as well as remediation steps at:
https://pgp.custhelp.com/app/answers/detail/a_id/2290
application to communicate over the Infiniband SDP protocol instead of
ordinary TCP:
https://bugzilla.redhat.com/show_bug.cgi?id=647941
Sites that use infiniband will want to look at the measures in the
notification above.
Updated openssl packages that fix one security issue are now available for
Red Hat Enterprise Linux 6.
https://www.redhat.com/security/data/cve/CVE-2010-3864.html
https://rhn.redhat.com/errata/RHSA-2010-0888.html
Updated systemtap packages that fix two security issues are now available
for Red Hat Enterprise Linux 5 and 6.
https://rhn.redhat.com/errata/RHSA-2010-0894.html
There is a security vulnerability in PGP Desktop versions 10.0.3 and
earlier, as well as the upcoming 10.1 release. This vulnerability
may allow someone to spoof emails signed by the OSG security team.
For OSG users who use this version there is a knowledge base page,
as well as remediation steps at:
https://pgp.custhelp.com/app/answers/detail/a_id/2290
Tuesday, October 19, 2010
GNU libc vulnerability
The OSG Security Team wants you to be aware of a vulnerability impacting the glibc library.
Introduction
============
Tavis Ormandy recently released information about a vulnerability in GNU libc, complete with an exploit that on many systems can give any local user root privileges. (For full details, see the link below in the References section.)
This vulnerability has been labelled CVE-2010-3847, and is present on many Linux distributions, including RHEL/CentOS/SL 5 (but *not* RHEL 3 and 4 and their derivatives). Vendor patches are not yet available.
Details
=======
As far as is known, the vulnerability can only be exploited if users can write to a file system that contains binaries with suid root permissions. (Since it is necessary for the attacker to create a hard link to a suid root binary.)
This is, for instance, the case if /bin is located on the same filesystem as /tmp (or any other user writable location, like /var/tmp, /home, /var/lib/texmf, and so on). This is unfortunately a common configuration.
Mitigation
==========
To make it impossible to make the required hard link, directories containing suid/sgid binaries can be made to appear to as separate file systems by doing
mount -o bind /sbin /sbin
for each such directory.
Please note that these commands must be re-run whenever the system is rebooted, for example by adding them to a suitable init script.
A baseline list of directories with suid/sgid binaries on a typical RHEL 5 system is:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/lpp
/usr/sbin
You should check for any additional site specific locations using a command like
find / -type f \( -perm /u+s -o -perm /g+s \)
that will list all files with suid/sgid permissions.
Recommendations
===============
Apply the mitigation method above for all relevant locations.
You may wish to suspend user logins and job submission until these steps have been taken; please refer to your local site policy.
Apply vendor updates as soon as they become available.
References
==========
[3]http://seclists.org/fulldisclosure/2010/Oct/257
The majority of this announcement was put together by Nuno Dias - EGI CSIRT
Introduction
============
Tavis Ormandy recently released information about a vulnerability in GNU libc, complete with an exploit that on many systems can give any local user root privileges. (For full details, see the link below in the References section.)
This vulnerability has been labelled CVE-2010-3847, and is present on many Linux distributions, including RHEL/CentOS/SL 5 (but *not* RHEL 3 and 4 and their derivatives). Vendor patches are not yet available.
Details
=======
As far as is known, the vulnerability can only be exploited if users can write to a file system that contains binaries with suid root permissions. (Since it is necessary for the attacker to create a hard link to a suid root binary.)
This is, for instance, the case if /bin is located on the same filesystem as /tmp (or any other user writable location, like /var/tmp, /home, /var/lib/texmf, and so on). This is unfortunately a common configuration.
Mitigation
==========
To make it impossible to make the required hard link, directories containing suid/sgid binaries can be made to appear to as separate file systems by doing
mount -o bind /sbin /sbin
for each such directory.
Please note that these commands must be re-run whenever the system is rebooted, for example by adding them to a suitable init script.
A baseline list of directories with suid/sgid binaries on a typical RHEL 5 system is:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/lpp
/usr/sbin
You should check for any additional site specific locations using a command like
find / -type f \( -perm /u+s -o -perm /g+s \)
that will list all files with suid/sgid permissions.
Recommendations
===============
Apply the mitigation method above for all relevant locations.
You may wish to suspend user logins and job submission until these steps have been taken; please refer to your local site policy.
Apply vendor updates as soon as they become available.
References
==========
[3]http://seclists.org/fulldisclosure/2010/Oct/257
The majority of this announcement was put together by Nuno Dias - EGI CSIRT
Wednesday, September 29, 2010
Linux Kernel "snd_ctl_new()" Integer Overflow Vulnerability SA41650
From Secunia:
http://secunia.com/advisories/41650/
Description
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or potentially gain escalated privileges.
The vulnerability is caused due to an integer overflow error when allocating memory within the "snd_ctl_new()" function in sound/core/control.c, which can be exploited to cause a heap-based buffer overflow.
Criticality: Less Critical
OSG Recommendation:
If you think your systems may have this vulnerability you can consider removing or limiting access to the sound (or audio) subsystem.
http://secunia.com/advisories/41650/
Description
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or potentially gain escalated privileges.
The vulnerability is caused due to an integer overflow error when allocating memory within the "snd_ctl_new()" function in sound/core/control.c, which can be exploited to cause a heap-based buffer overflow.
Criticality: Less Critical
OSG Recommendation:
If you think your systems may have this vulnerability you can consider removing or limiting access to the sound (or audio) subsystem.
Wednesday, September 22, 2010
Kernel updates for CVE-2010-3081
The OSG security team announced last week an important kernel vulnerabilitythat affected 64 bit systems (announcement OSG-SEC-2010-09-16). Most of the vendors have now come out with patched kernels and the OSG security team is encouraging all sites to update any kernels that are currently affected.
Here are the links or instructions to the patched kernels for the following OS versions:
RedHat
https://rhn.redhat.com/errata/RHSA-2010-0704.html
Fedora
https://admin.fedoraproject.org/updates/search/CVE-2010-3081
Scientific Linux
Dear SLC5 x86_64 (64 bit) platform users.
We have released in production a new SLC5 kernel addressing the locally exploitable security issue CVE-2010-3081. This kernel 2.6.18-194.11.4.el5 superseeds the "hotfix" kernel 2.6.18-194.11.3.el5.cve20103081 released last Thursday.
In order to protect your system please apply urgently following update by running as root:
# yum install kernel
and if your system is an Xen virtual machine or hypervisor also run:
# yum install kernel-xen
and reboot your system for the update to take effect.
Ubuntu
https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-September/001159.html
SUSE
http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00004.html
Here are the links or instructions to the patched kernels for the following OS versions:
RedHat
https://rhn.redhat.com/errata/RHSA-2010-0704.html
Fedora
https://admin.fedoraproject.org/updates/search/CVE-2010-3081
Scientific Linux
Dear SLC5 x86_64 (64 bit) platform users.
We have released in production a new SLC5 kernel addressing the locally exploitable security issue CVE-2010-3081. This kernel 2.6.18-194.11.4.el5 superseeds the "hotfix" kernel 2.6.18-194.11.3.el5.cve20103081 released last Thursday.
In order to protect your system please apply urgently following update by running as root:
# yum install kernel
and if your system is an Xen virtual machine or hypervisor also run:
# yum install kernel-xen
and reboot your system for the update to take effect.
Ubuntu
https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-September/001159.html
SUSE
http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00004.html
Thursday, April 29, 2010
RedHat xorg-x11-server important security vulnerability
An important vulnerability regarding RedHat xorg-x11-server has been reported. The vulnerability could lead to a root-level compromise. RedHat has classified the severity level as "important" and detailed information is available at https://rhn.redhat.com/errata/RHSA-2010-0382.html
Although the vulnerability is not likely to affect the grid environment, we recommend all site admins to apply the patch on their systems as soon as possible for their site's protection.
Although the vulnerability is not likely to affect the grid environment, we recommend all site admins to apply the patch on their systems as soon as possible for their site's protection.
Subscribe to:
Posts (Atom)
Posts
