Title: EGI SVG Advisory [TLP:WHITE] 'HIGH' risk linux kernel privilege
escalation vulnerability CVE-2017-2636 [EGI-SVG-CVE-2017-2636]
Date: 2017-03-09
Updated: 2017-04-27
Affected software and risk
==========================
'HIGH' risk privilege escalation vulnerability affecting the Linux kernel
n_hdlc module
Package : Linux kernel
CVE ID : CVE-2017-2636
A local privilege escalation race condition in n_hdlc in linux kernel driver
has been found. [R 1], [R 2]
This vulnerability is present in all recent versions of the linux kernel prior
to the patched versions.
The most affected services are those that give shell access to unprivileged
users:
- Worker Nodes
- shared User Interface hosts
- ...
Actions required/recommended
============================
**UPDATE 2017-04-27**
Patched versions now available for all relevant Linux distributions.
Sites should apply vendor kernel updates if they have not done so already.
Affected software details
=========================
All recent versions of the linux kernel prior to the patched versions are
affected.
More information
================
More information can be found at [R 1], [R 2], [R 3]
If this vulnerability is found to be exploitable in the EGI infrastructure it
will be elevated to 'CRITICAL' and require sites to update urgently.
Hence we recommend that sites update as soon as possible.
Note that this is a new vulnerability, this is NOT an update of CVE-2017-6074
although the effect and risk are similar, and hence SVG is making similar
recommendations.
Mitigation
==========
This vulnerability can be mitigated by disabling the n_hdlc kernel module, see
[R 2] and [R 5]
Component installation information
==================================
Sites running Scientific Linux should see [R 4]
Sites running RedHat should see [R 5]
Sites running Debian should see [R 6]
Sites running Ubuntu should see [R 7]
TLP and URL
===========
** WHITE information - Unlimited distribution - see
https://go.egi.eu/tlp for distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2017-2636
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 8]
References
==========
[R 1] http://seclists.org/oss-sec/2017/q1/569
[R 2] http://seclists.org/oss-sec/2017/q1/572
[R 3] NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2636
[R 4] https://www.scientificlinux.org/
[R 5] Red Hat https://access.redhat.com/security/cve/CVE-2017-2636
[R 6] Debian https://security-tracker.debian.org/tracker/CVE-2017-2636
[R 7] Ubuntu http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2636.html
[R 8] https://documents.egi.eu/public/ShowDocument?docid=2538
Credit
======
SVG was alerted to this vulnerability by Vincent Brillault
Timeline
========
Yyyy-mm-dd [EGI-SVG-CVE-2017-2636]
2017-03-09 SVG alerted to this issue by Vincent Brillault
2017-03-09 Investigation of vulnerability and relevance to EGI carried out by
2017-03-09 EGI SVG Risk Assessment completed
2017-03-09 Advisory/Alert sent to sites
2017-04-12 Updated packages available for all relevant distributions
2017-04-27 Advisory updated.
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 8] in the context of how the software is used in the EGI
infrastructure.
It is the opinion of the group, we do not guarantee it to be correct.
The risk may also be higher or lower in other deployments depending on how the
software is used.
Others may re-use this information provided they:-
1) Respect the provided TLP classification
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group