Re: [rhelv5-list] CVE-2010-3081
Am Montag, den 20.09.2010, 12:47 -0600 schrieb Stephen John Smoogen: On Mon, Sep 20, 2010 at 07:08, Gary Gatling gsgat...@eos.ncsu.edu wrote: Will a new kernel be coming out soon to address CVE-2010-3081? I do not believe RHEL-5 is suceptible to this bug. I could not get my RHEL-5 x86_64 to 'root' but that does not mean I was doing it right. Thanks, Gary Gatling | ITECS Systems You have to compile the exploit under i386 and then use it then under x86_64. It worked for - 2.6.18-164.el5 - 2.6.18-194.11.1.el5 . 2.6.18-194.11.3.el5 Try it again, and have also a scary movie. :-S Regards, Mete ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
Or compile it with the -m32 gcc flag on an x86_64 system... it will be compiled as an i386 binary. -Original Message- From: rhelv5-list-boun...@redhat.com [mailto:rhelv5-list-boun...@redhat.com] On Behalf Of Mete Boz Sent: Thursday, September 23, 2010 10:50 AM To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list Subject: Re: [rhelv5-list] CVE-2010-3081 Am Montag, den 20.09.2010, 12:47 -0600 schrieb Stephen John Smoogen: On Mon, Sep 20, 2010 at 07:08, Gary Gatling gsgat...@eos.ncsu.edu wrote: Will a new kernel be coming out soon to address CVE-2010-3081? I do not believe RHEL-5 is suceptible to this bug. I could not get my RHEL-5 x86_64 to 'root' but that does not mean I was doing it right. Thanks, Gary Gatling | ITECS Systems You have to compile the exploit under i386 and then use it then under x86_64. It worked for - 2.6.18-164.el5 - 2.6.18-194.11.1.el5 . 2.6.18-194.11.3.el5 Try it again, and have also a scary movie. :-S Regards, Mete ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
Gary Gatling wrote: Will a new kernel be coming out soon to address CVE-2010-3081? It is live on RHN as of late last night/early this morning: RHSA-2010:0704. Thanks, Gary Gatling | ITECS Systems ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
Robert G. (Doc) Savage wrote: On Tue, 2010-09-21 at 09:19 -0500, Robert G. (Doc) Savage wrote: On Tue, 2010-09-21 at 08:18 -0400, Linda Wang wrote: It is live on RHN as of late last night/early this morning: RHSA-2010:0704. Confirmed. I had to run 'yum update' twice for the kernel update to appear, but it's there. Come 'n get it Well... Maybe. I downloaded and installed the new kernel, then rebooted and reran the Ksplice diagnostic: $ ./diagnose-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) $$$ Kernel release: 2.6.18-194.11.4.el5 $$$ Backdoor in LSM (1/3): checking...not present. $$$ Backdoor in timer_list_fops (2/3): not available. $$$ Backdoor in IDT (3/3): checking...not present. Your system is free from the backdoors that would be left in memory by the published exploit for CVE-2010-3081. This doesn't look right. That's the same result I got for the -194.11.3 kernel. I was expecting to see something similar to the output I got for the F13 kernel: $$$ Kernel release: 2.6.34.6-54.fc13.x86_64 !!! Could not find symbol: per_cpu__current_task A symbol required by the published exploit for CVE-2010-3081 is not provided by your kernel. The exploit would not work on your system. Thoughts? --Doc Savage, CISSP Fairview Heights, IL I ran the diagnostic code and got the same result. I then tried the exploit code and it errored out instead of giving me a shell. Hugh ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
As far as I understand, from what I read about the Ksplice tool, it that it just tries to detect whether a back door was set up on a system (ie: if it had already been compromised). I do not believe that the intent of the program was not to test if the system was vulnerable. Cale Fairchild Systems Administrator Computer Science Brock University cfairch...@brocku.ca Hugh Brown wrote: Robert G. (Doc) Savage wrote: On Tue, 2010-09-21 at 09:19 -0500, Robert G. (Doc) Savage wrote: On Tue, 2010-09-21 at 08:18 -0400, Linda Wang wrote: It is live on RHN as of late last night/early this morning: RHSA-2010:0704. Confirmed. I had to run 'yum update' twice for the kernel update to appear, but it's there. Come 'n get it Well... Maybe. I downloaded and installed the new kernel, then rebooted and reran the Ksplice diagnostic: $ ./diagnose-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) $$$ Kernel release: 2.6.18-194.11.4.el5 $$$ Backdoor in LSM (1/3): checking...not present. $$$ Backdoor in timer_list_fops (2/3): not available. $$$ Backdoor in IDT (3/3): checking...not present. Your system is free from the backdoors that would be left in memory by the published exploit for CVE-2010-3081. This doesn't look right. That's the same result I got for the -194.11.3 kernel. I was expecting to see something similar to the output I got for the F13 kernel: $$$ Kernel release: 2.6.34.6-54.fc13.x86_64 !!! Could not find symbol: per_cpu__current_task A symbol required by the published exploit for CVE-2010-3081 is not provided by your kernel. The exploit would not work on your system. Thoughts? --Doc Savage, CISSP Fairview Heights, IL I ran the diagnostic code and got the same result. I then tried the exploit code and it errored out instead of giving me a shell. Hugh ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
Robert G. (Doc) Savage wrote: On Tue, 2010-09-21 at 09:19 -0500, Robert G. (Doc) Savage wrote: On Tue, 2010-09-21 at 08:18 -0400, Linda Wang wrote: It is live on RHN as of late last night/early this morning: RHSA-2010:0704. Confirmed. I had to run 'yum update' twice for the kernel update to appear, but it's there. Come 'n get it Well... Maybe. I downloaded and installed the new kernel, then rebooted and reran the Ksplice diagnostic: $ ./diagnose-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) $$$ Kernel release: 2.6.18-194.11.4.el5 $$$ Backdoor in LSM (1/3): checking...not present. $$$ Backdoor in timer_list_fops (2/3): not available. $$$ Backdoor in IDT (3/3): checking...not present. Your system is free from the backdoors that would be left in memory by the published exploit for CVE-2010-3081. This doesn't look right. That's the same result I got for the -194.11.3 kernel. I was expecting to see something similar to the output I got for the F13 kernel: $$$ Kernel release: 2.6.34.6-54.fc13.x86_64 !!! Could not find symbol: per_cpu__current_task A symbol required by the published exploit for CVE-2010-3081 is not provided by your kernel. The exploit would not work on your system. Thoughts? The diagnostic tool from ksplice is not a good way to verify if the issue is fixed. It basically checks to see if anyone ran the exploit on the machine before. The exploit is specific to rhel-5 and is a modification of an existing publicly circulated exploit, and the exploit is verified to be fixed in this erratum. Hth, -linda ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
Hugh Brown wrote: Robert G. (Doc) Savage wrote: On Tue, 2010-09-21 at 09:19 -0500, Robert G. (Doc) Savage wrote: On Tue, 2010-09-21 at 08:18 -0400, Linda Wang wrote: It is live on RHN as of late last night/early this morning: RHSA-2010:0704. Confirmed. I had to run 'yum update' twice for the kernel update to appear, but it's there. Come 'n get it Well... Maybe. I downloaded and installed the new kernel, then rebooted and reran the Ksplice diagnostic: $ ./diagnose-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) $$$ Kernel release: 2.6.18-194.11.4.el5 $$$ Backdoor in LSM (1/3): checking...not present. $$$ Backdoor in timer_list_fops (2/3): not available. $$$ Backdoor in IDT (3/3): checking...not present. Your system is free from the backdoors that would be left in memory by the published exploit for CVE-2010-3081. This doesn't look right. That's the same result I got for the -194.11.3 kernel. I was expecting to see something similar to the output I got for the F13 kernel: $$$ Kernel release: 2.6.34.6-54.fc13.x86_64 !!! Could not find symbol: per_cpu__current_task A symbol required by the published exploit for CVE-2010-3081 is not provided by your kernel. The exploit would not work on your system. Thoughts? --Doc Savage, CISSP Fairview Heights, IL I ran the diagnostic code and got the same result. I then tried the exploit code and it errored out instead of giving me a shell. *nod* Thanks for the quick checks. The exploit is fixed in this RHEL5 erratum. ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
Cale Fairchild wrote: Hugh Brown wrote: Robert G. (Doc) Savage wrote: On Tue, 2010-09-21 at 09:19 -0500, Robert G. (Doc) Savage wrote: On Tue, 2010-09-21 at 08:18 -0400, Linda Wang wrote: It is live on RHN as of late last night/early this morning: RHSA-2010:0704. Confirmed. I had to run 'yum update' twice for the kernel update to appear, but it's there. Come 'n get it Well... Maybe. I downloaded and installed the new kernel, then rebooted and reran the Ksplice diagnostic: $ ./diagnose-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) $$$ Kernel release: 2.6.18-194.11.4.el5 $$$ Backdoor in LSM (1/3): checking...not present. $$$ Backdoor in timer_list_fops (2/3): not available. $$$ Backdoor in IDT (3/3): checking...not present. Your system is free from the backdoors that would be left in memory by the published exploit for CVE-2010-3081. This doesn't look right. That's the same result I got for the -194.11.3 kernel. I was expecting to see something similar to the output I got for the F13 kernel: $$$ Kernel release: 2.6.34.6-54.fc13.x86_64 !!! Could not find symbol: per_cpu__current_task A symbol required by the published exploit for CVE-2010-3081 is not provided by your kernel. The exploit would not work on your system. Thoughts? --Doc Savage, CISSP Fairview Heights, IL I ran the diagnostic code and got the same result. I then tried the exploit code and it errored out instead of giving me a shell. Hugh As far as I understand, from what I read about the Ksplice tool, it that it just tries to detect whether a back door was set up on a system (ie: if it had already been compromised). I do not believe that the intent of the program was not to test if the system was vulnerable. Sorry about the top posting, didn't notice until I sent it. Cale ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
On Tue, 2010-09-21 at 09:51 -0500, Robert G. (Doc) Savage wrote: I was expecting to see something similar to the output I got for the F13 kernel: $$$ Kernel release: 2.6.34.6-54.fc13.x86_64 !!! Could not find symbol: per_cpu__current_task A symbol required by the published exploit for CVE-2010-3081 is not provided by your kernel. The exploit would not work on your system. Thoughts? The exploit is caused by a failure to correctly check the access and range (for potential underflow) of a value passed to the kernel from userspace. It's a classical exploit and it was fixed promptly. The message you are getting above is different. All kernels provide a number of symbols, which are exported functions available for use by drivers and other loadable modules. The specific incarnation of the exploit that was being examined by the Ksplice tool looked for the per_cpu__current_task symbol (presumably as part of the kernel stack corruption exercise required for the exploit - I didn't check), which isn't available on some kernels. That doesn't mean they are not vulnerable to the compat exploit, just that they don't have this particular symbol exported. Red Hat fixed the exploit without affecting which symbols were or were not exported by the RHEL5 kernel, because that was not the actual problem. Again, Ksplice did a good job with a utility, but it is just a handy utility that helped some folks look to see if their systems might be exploited by one version of the exploit. Does that help? Jon. ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
[rhelv5-list] CVE-2010-3081
Will a new kernel be coming out soon to address CVE-2010-3081? Also, sorry if this is a duplicate. I was having some email issues this morning. Thanks, Gary Gatling | ITECS Systems ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
On 20/09/10 15:10, Gary Gatling wrote: Will a new kernel be coming out soon to address CVE-2010-3081? Also, sorry if this is a duplicate. I was having some email issues this morning. Thanks, Gary Gatling | ITECS Systems ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list In case you haven't done so... If you search here: https://www.redhat.com/security/data/cve/ you will find this kbase article: https://access.redhat.com/kb/docs/DOC-40265 which links to the bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=634457#c28 nd ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
[rhelv5-list] CVE-2010-3081
Will a new kernel be coming out soon to address CVE-2010-3081? Thanks, Gary Gatling | ITECS Systems ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
On Mon, Sep 20, 2010 at 6:10 AM, Gary Gatling gsgat...@ncsu.edu wrote: Will a new kernel be coming out soon to address CVE-2010-3081? Also, sorry if this is a duplicate. I was having some email issues this morning. Early this week according to: https://bugzilla.redhat.com/show_bug.cgi?id=634457#c28 Akemi ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
On 20 September 2010 14:10, Gary Gatling gsgat...@ncsu.edu wrote: Will a new kernel be coming out soon to address CVE-2010-3081? For what it's worth, any CVE id is a suitable bug alias for Red Hat's bugzilla, eg https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3081 jch ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
Once upon a time, John Haxby j...@thehaxbys.co.uk said: For what it's worth, any CVE id is a suitable bug alias for Red Hat's bugzilla, eg https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3081 Does anybody know what the holdup is with releasing a fixed kernel? Per the BZ, Red Hat has known about this for four and a half days now, with no fix in sight (other than to turn multi-user servers off). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
On Mon, Sep 20, 2010 at 07:08, Gary Gatling gsgat...@eos.ncsu.edu wrote: Will a new kernel be coming out soon to address CVE-2010-3081? I do not believe RHEL-5 is suceptible to this bug. I could not get my RHEL-5 x86_64 to 'root' but that does not mean I was doing it right. Thanks, Gary Gatling | ITECS Systems ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list -- Stephen J Smoogen. “The core skill of innovators is error recovery, not failure avoidance.” Randy Nelson, President of Pixar University. We have a strategic plan. It's called doing things. — Herb Kelleher, founder Southwest Airlines ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
On Mon, Sep 20, 2010 at 12:47, Stephen John Smoogen smo...@gmail.com wrote: On Mon, Sep 20, 2010 at 07:08, Gary Gatling gsgat...@eos.ncsu.edu wrote: Will a new kernel be coming out soon to address CVE-2010-3081? I do not believe RHEL-5 is suceptible to this bug. I could not get my RHEL-5 x86_64 to 'root' but that does not mean I was doing it right. It would seem the one I was using was meant for other kernels. Sorry about the misinformation. I do not know when a released kernel will be available. -- Stephen J Smoogen. “The core skill of innovators is error recovery, not failure avoidance.” Randy Nelson, President of Pixar University. We have a strategic plan. It's called doing things. — Herb Kelleher, founder Southwest Airlines ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
On Mon, 2010-09-20 at 09:08 -0400, Gary Gatling wrote: Will a new kernel be coming out soon to address CVE-2010-3081? Thanks, Gary Gatling | ITECS Systems Gary, I was concerned about this until I read this: http://isc.sans.edu/diary.html?storyid=9574 I downloaded and ran the diagnose-2010-3081 binary on my RHEL55 server and was relieved to see: $ ./diagnose-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) $$$ Kernel release: 2.6.18-194.11.3.el5 $$$ Backdoor in LSM (1/3): checking...not present. $$$ Backdoor in timer_list_fops (2/3): not available. $$$ Backdoor in IDT (3/3): checking...not present. Your system is free from the backdoors that would be left in memory by the published exploit for CVE-2010-3081. I also ran it on my 64-bit F13 laptop and was similiarly relieved: $ ./diagnose-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) $$$ Kernel release: 2.6.34.6-54.fc13.x86_64 !!! Could not find symbol: per_cpu__current_task A symbol required by the published exploit for CVE-2010-3081 is not provided by your kernel. The exploit would not work on your system. As long as you are up-to-date with the latest patches (and not the ones still in updates-testing), it appears you'll have nothing to worry about. --Doc Savage, CISSP Fairview Heights, IL ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
On Mon, Sep 20, 2010 at 13:06, Robert G. (Doc) Savage dsav...@peaknet.net wrote: On Mon, 2010-09-20 at 09:08 -0400, Gary Gatling wrote: Will a new kernel be coming out soon to address CVE-2010-3081? Thanks, Gary Gatling | ITECS Systems Gary, I was concerned about this until I read this: http://isc.sans.edu/diary.html?storyid=9574 I downloaded and ran the diagnose-2010-3081 binary on my RHEL55 server and was relieved to see: $ ./diagnose-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) Yeah that was where I was looking for the problem in... well it just looks for if your box has been rooted already. It does not say whether you are suceptible or not. The other tool I found does open a shell on .28+ kernels but does not work on RHEL-5.. which was where I got my bad information from. I was not running the acid one because I was not sure what else it does in its 'beauty splender'. However since it does work on EL-5. It was explained to me that there are several issues involved here. one is the problem with a reintroduced bug and the other is a new one. -- Stephen J Smoogen. “The core skill of innovators is error recovery, not failure avoidance.” Randy Nelson, President of Pixar University. We have a strategic plan. It's called doing things. — Herb Kelleher, founder Southwest Airlines ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
Once upon a time, Robert G. (Doc) Savage dsav...@peaknet.net said: I was concerned about this until I read this: http://isc.sans.edu/diary.html?storyid=9574 I downloaded and ran the diagnose-2010-3081 binary on my RHEL55 server and was relieved to see: $ ./diagnose-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) That tool only checks to see if any known backdoors have been installed (presumably by exploiting the CVS-2010-3081 hole). It does NOT actually check to see if your system is vulnerable. All RHEL 5 systems running the x86_64 kernel are currently vulnerable, unless you are running your own custom kernel or have applied the ksplice run-time patch. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
On Mon, 2010-09-20 at 14:06 -0500, Robert G. (Doc) Savage wrote: I was concerned about this until I read this: http://isc.sans.edu/diary.html?storyid=9574 I downloaded and ran the diagnose-2010-3081 binary on my RHEL55 server and was relieved to see: $ ./diagnose-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) $$$ Kernel release: 2.6.18-194.11.3.el5 $$$ Backdoor in LSM (1/3): checking...not present. $$$ Backdoor in timer_list_fops (2/3): not available. $$$ Backdoor in IDT (3/3): checking...not present. Your system is free from the backdoors that would be left in memory by the published exploit for CVE-2010-3081. Looking at this again, I see that it only says I've not (yet) been compromised. I'll be watching for the kernel update. --Doc Savage, CISSP Fairview Heights, IL ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
Hey guys. I just compiled this: http://seclists.org/fulldisclosure/2010/Sep/268 on a 32 bit machine and indeed, RHEL 5 is affected. (The first exploit code I saw over the weekend did not work but this one did) I compiled on 32 bit kernel and ran on 64 bit kernel (2.6.18-194.11.3.el5) and got root. scary. I've added the workaround on some shared login servers we run until the new kernel has finished testing phase. The workaround did seem to prevent the exploit from working on another test box. although some behaviors were unusual after running it, I did not have root access. So I'm very glad there is at least a workaround for this monster. Gary Gatling | ITECS Systems On Mon, 20 Sep 2010, Robert G. (Doc) Savage wrote: On Mon, 2010-09-20 at 09:08 -0400, Gary Gatling wrote: Will a new kernel be coming out soon to address CVE-2010-3081? Thanks, Gary Gatling | ITECS Systems Gary, I was concerned about this until I read this: http://isc.sans.edu/diary.html?storyid=9574 I downloaded and ran the diagnose-2010-3081 binary on my RHEL55 server and was relieved to see: $ ./diagnose-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) $$$ Kernel release: 2.6.18-194.11.3.el5 $$$ Backdoor in LSM (1/3): checking...not present. $$$ Backdoor in timer_list_fops (2/3): not available. $$$ Backdoor in IDT (3/3): checking...not present. Your system is free from the backdoors that would be left in memory by the published exploit for CVE-2010-3081. I also ran it on my 64-bit F13 laptop and was similiarly relieved: $ ./diagnose-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) $$$ Kernel release: 2.6.34.6-54.fc13.x86_64 !!! Could not find symbol: per_cpu__current_task A symbol required by the published exploit for CVE-2010-3081 is not provided by your kernel. The exploit would not work on your system. As long as you are up-to-date with the latest patches (and not the ones still in updates-testing), it appears you'll have nothing to worry about. --Doc Savage, CISSP Fairview Heights, IL ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
On 20 September 2010 18:20, Chris Adams cmad...@hiwaay.net wrote: Once upon a time, John Haxby j...@thehaxbys.co.uk said: For what it's worth, any CVE id is a suitable bug alias for Red Hat's bugzilla, eg https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3081 Does anybody know what the holdup is with releasing a fixed kernel? Per the BZ, Red Hat has known about this for four and a half days now, with no fix in sight (other than to turn multi-user servers off). I don't know, but I would guess QA. It's a local exploit so it's not as serious as some so a modicum of testing wouldn't go amiss. The nature of this problem gives it scope for doing a fair amount of damage if it's fixed wrongly. The bug report hints as much. jch ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
Re: [rhelv5-list] CVE-2010-3081
Once upon a time, Gary Gatling gsgat...@ncsu.edu said: on a 32 bit machine and indeed, RHEL 5 is affected. (The first exploit code I saw over the weekend did not work but this one did) I compiled on 32 bit kernel and ran on 64 bit kernel (2.6.18-194.11.3.el5) and got root. scary. I've added the workaround on some shared login servers we run until the new kernel has finished testing phase. The workaround only prevents the easy exploit (compiling a 32 bit ELF binary and running it). That's not the only way to make a 32 bit system call however, and AFAIK there's no way to block the other ways of exploiting this. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. ___ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list