Kernel and GridEngine updates this week

Kernel update for Red Hat and Scientific Linux

Red Hat and Scientific Linux have both released updated kernel packages to address a local denial of service vulnerability in the xfrm6_tunnel kernel module.
The redhat announcement is here.

Updates to Oracle Grid Engine

Oracle has released updates to Oracle Grid Engine to address two local privilege escalation vulnerabilities, one in the qrsh component and the other in sgepasswd.
Oracle advisory is here.

A Couple Noteworthy Security Updates

Apple Update for Java

Apple has released an update for Java for Lion and Snow Leopard to address critical vulnerabilities that can lead to the compromise of systems using Java, especially in web browsers. Systems are being actively exploited in the wild. At this time, we have not yet received reports of infected Macs from OSG users, however reports estimate over 600,000 Macs have been compromised so far: [PC World Article]

Apple's original announcement is here: [Apple Announcement]

A good quick guide to checking if your Mac is infected is available here: [Lifehacker Article]

RHEL/SL Update for RPM

Red Hat and Scientific Linux have both released updated RPM packages to address an important vulnerability. It is possible for maliciously made rpm files to compromise a system before the rpm signature is checked. More information is available here: [Red Hat Announcement]

Moderate vulnerability in OpenSSL packages

New OpenSSL packages have been released by Red Hat Enterprise Linux and Scientific Linux to address moderate level vulnerabilities that could be used for remote denial of service attacks and possibly decrypting encrypted messages.

More information is available at the links below:

• https://rhn.redhat.com/errata/RHSA-2012-0426.html  
• http://listserv.fnal.gov/scripts/wa.exe?A2=ind1203&L=scientific-linux-errata&T=0&O=D&X=4ADC730E38161FDBDA&Y=listmgr%40fnal.gov&P=496

Thunderbird, FireFox and WebKit vulnerabilities fixed on Ubuntu and Fedora

Ubuntu has announced that security vulnerabilities affecting WebKit libraries have been fixed and users are encouraged to upgrade. The announcement can be found at http://www.ubuntu.com/usn/usn-1195-1/ If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of
service attacks, and arbitrary code execution. WebKit is a web content engine, derived from KHTML and KJS from KDE, and used primarily in Apple's Safari browser. It is made to be embedded in other applications, such as mail readers, or web browsers.

Fedora released a new version of FireFox and Thunderbird that fixes multiple security vulnerabilities. The details can be found at http://lists.fedoraproject.org/pipermail/package-announce/2011-August/064383.html

glibc vulnerability - privilege escalation

This is an announcement that should have been posted when it was sent to the site security contact in April. Posting now to make sure it's included on the blog for everyone.

In coordination with the EGI CSIRT team.

Title: HIGH risk glibc vulnerability - privilege escalation
(CVE-2011-0536) [EGI-ADV-20110412]
Date: April 12, 2011
Last update: April 12, 2011
URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/glibc-2011-04-12

Introduction
============

A flaw has been found in the dynamic linker component of the GNU
C library. A local attacker could use this flaw to escalate their
privileges via a setuid or setgid program which is dynamically linked
to a library with certain properties.

This vulnerability affects both RH5 and RH6 and their variants.

EGI CSIRT considers this to be a HIGH vulnerability for now and might
raise it to CRITICAL if a working exploit is made public

Details
=======

The fix for CVE-2010-3847 introduced a regression in the way the dynamic
loader expanded the $ORIGIN dynamic string token specified in the RPATH and
RUNPATH entries in the ELF library header. A local attacker could use this
flaw to escalate their privileges via a setuid or setgid program using
such a library. (CVE-2011-0536)

RH security team confirmed that reporter (of this vulnerability)
indicated an intention to make exploit public after waiting some time

to give users and downstream distros an opportunity to pick up the fix.

Mitigation
==========

The only known mitigation is to apply the security patch from the software
vendor.

Recommendations
===============

It is STRONGLY recommended to immediately apply vendor patches when they
become available.

Vendor patches are now available from

* Ubuntu
* Debian
* RHEL5/6
* SL5/6

To be released:

* CentOS5/6

References
==========
RedHat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0536

RHEL5 update:
https://rhn.redhat.com/errata/RHSA-2011-0412.html

RHEL6 update:
https://rhn.redhat.com/errata/RHSA-2011-0413.html

SL5/6 update:
http://listserv.fnal.gov/scripts/wa.exe?A2=ind1104&L=scientific-linux-errata
&T=0&P=583

SLC5 update:
http://linux.web.cern.ch/linux/updates/updates-slc5.shtml

SLC6 update:
http://linux.web.cern.ch/linux/updates/updates-slc6.shtml

Debian update:
http://lists.debian.org/debian-security-announce/2011/msg00005.html

Ubuntu update:
https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-January/0012
26.html

Regards,

Mingchao, EGI CSIRT security officer on duty

Various vulnerability notices and updates

There is a vulnerability in the libsdp package which is used to enablean
application to communicate over the Infiniband SDP protocol instead of
ordinary TCP:

https://bugzilla.redhat.com/show_bug.cgi?id=647941

Sites that use infiniband will want to look at the measures in the
notification above.

---

Updated openssl packages that fix one security issue are now available for
Red Hat Enterprise Linux 6.

https://www.redhat.com/security/data/cve/CVE-2010-3864.html
https://rhn.redhat.com/errata/RHSA-2010-0888.html

---

Updated systemtap packages that fix two security issues are now available
for Red Hat Enterprise Linux 5 and 6.

https://rhn.redhat.com/errata/RHSA-2010-0894.html

---

There is a security vulnerability in PGP Desktop versions 10.0.3 and
earlier, as well as the upcoming 10.1 release. This vulnerability
may allow someone to spoof emails signed by the OSG security team.
For OSG users who use this version there is a knowledge base page,
as well as remediation steps at:

https://pgp.custhelp.com/app/answers/detail/a_id/2290

GNU libc vulnerability

The OSG Security Team wants you to be aware of a vulnerability impacting the glibc library.

Introduction
============

Tavis Ormandy recently released information about a vulnerability in GNU libc, complete with an exploit that on many systems can give any local user root privileges. (For full details, see the link below in the References section.)

This vulnerability has been labelled CVE-2010-3847, and is present on many Linux distributions, including RHEL/CentOS/SL 5 (but *not* RHEL 3 and 4 and their derivatives). Vendor patches are not yet available.

Details
=======

As far as is known, the vulnerability can only be exploited if users can write to a file system that contains binaries with suid root permissions. (Since it is necessary for the attacker to create a hard link to a suid root binary.)

This is, for instance, the case if /bin is located on the same filesystem as /tmp (or any other user writable location, like /var/tmp, /home, /var/lib/texmf, and so on). This is unfortunately a common configuration.

Mitigation
==========

To make it impossible to make the required hard link, directories containing suid/sgid binaries can be made to appear to as separate file systems by doing

mount -o bind /sbin /sbin

for each such directory.

Please note that these commands must be re-run whenever the system is rebooted, for example by adding them to a suitable init script.

A baseline list of directories with suid/sgid binaries on a typical RHEL 5 system is:

/bin
/sbin
/usr/bin
/usr/libexec
/usr/lpp
/usr/sbin

You should check for any additional site specific locations using a command like

find / -type f \( -perm /u+s -o -perm /g+s \)

that will list all files with suid/sgid permissions.


Recommendations
===============

Apply the mitigation method above for all relevant locations.

You may wish to suspend user logins and job submission until these steps have been taken; please refer to your local site policy.

Apply vendor updates as soon as they become available.

References
==========

[3]http://seclists.org/fulldisclosure/2010/Oct/257

The majority of this announcement was put together by Nuno Dias - EGI CSIRT