Title: EGI SVG Advisory [TLP:WHITE] 'HIGH' risk CVE-2017-6074 linux kernel
(DCCP) privilege escalation vulnerability [EGI-SVG-CVE-2017-6074]
Date: 2017-02-28
Updated:
Affected software and risk
==========================
HIGH risk Root escalation vulnerability affecting the Linux kernel in DCCP
module
Package : kernel
CVE ID : CVE-2017-6074
A double-free vulnerability has been found in the linux kernel module 'DCCP',
which might allow unprivileged local users to escalate their privileges.
This vulnerability is present in all recent versions of the linux kernel prior
to the patched versions.
The most affected services are those that give shell access to unprivileged
users:
- Worker Nodes
- shared User Interface hosts
- ...
This follows on from the 'Heads up' send on Thursday 23rd February.
Actions required/recommended
============================
Sites should apply vendor kernel updates as soon as possible.
If sites have disabled Security-Enhanced Linux (SELinux) and do not have DCCP
disabled they should update or disable DCCP urgently.
Affected software details
=========================
All versions of the linux kernel prior to the patched versions are affected.
More information
================
The vulnerability itself may be considered 'CRITICAL'
As far as we are aware, this issue is only exploitable if DCCP is NOT disabled.
Additionally, Security-Enhanced Linux (SELinux) protects against this exploit,
therefore it is only exploitable if SELinux is disabled.
The successful use the exploit has requirements on the environment which do not
seem to be fulfilled at most sites, making a definite assessment between HIGH
or CRITICAL difficult.
This vulnerability has been assessed as 'HIGH' risk rather than 'CRITICAL' for
the EGI infrastructure at present. However if it is found to be exploitable in
the EGI infrastructure this will be elevated to 'CRITICAL' and require sites to
update urgently.
Hence we recommend that sites update as soon as possible.
Also see:--
Original announcement [R 1]
National vulnerability Database [R 2]
Proof of concept exploit made public [R 3]
Also [R 11]
Mitigation
==========
This vulnerability can be mitigated by disabling DCCP completely. On standard
distributions, where it's present as a kernel module, this can be achieved by
either:
- Adding a modprobe configuration file to disable dccp by running:
```
echo "install dccp /bin/true" >> /etc/modprobe.d/CVE-2017-6074.conf
```
- Removing all DCCP kernel modules from /lib/modules
If the DCCP kernel module is already loaded (lsmod | grep dccp), a reboot might
be needed to unload the module (rmmod will fail if still in use). Please note
however that most systems don't load this module and a loaded module should be
investigated as it could be from an exploitation attempt.
For other systems, where DCCP is statically compiled in the kernel these
mitigations cannot be applied and a new kernel has to be built and deployed.
Check as follows:
grep CONFIG_IP_DCCP /boot/config-$(uname -r)
or:
zgrep CONFIG_IP_DCCP /proc/config.gz
In the output 'm' means module, 'y' means compiled in the kernel directly.
Component installation information
==================================
Patches have been made for all relevant versions of the linux kernel.
Sites running scientific linux should see [ R 4]
Sites running RedHat or CentOS should see [R 5], [R 6], [R 7]
Sites running Debian should See [R 8]
Sites running Ubuntu should see [R 9]
TLP and URL
===========
** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2017-6074
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 10]
References
==========
[R 1] http://seclists.org/oss-sec/2017/q1/471
[R 2] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6074
[R 3] http://seclists.org/oss-sec/2017/q1/503
[R 4] https://www.scientificlinux.org
[R 5] Red Hat https://access.redhat.com/security/cve/CVE-2017-6074
[R 6] https://access.redhat.com/errata/RHSA-2017:0293
[R 7] https://access.redhat.com/errata/RHSA-2017:0294
[R 8] Debian https://security-tracker.debian.org/tracker/CVE-2017-6074
[R 9] Ubuntu https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6074.html
[R 10] https://documents.egi.eu/public/ShowDocument?docid=2538
[R 11] https://threatpost.com/impact-of-new-linux-kernel-dccp-vulnerability-limited/123863/
Credit
======
SVG was alerted to this vulnerability by Tobias Dussa from EGI SVG.
Vulnerability originally discovered by Andrey Konovalov from Google.
Timeline
========
Yyyy-mm-dd [EGI-SVG-CVE-2017-6074]
2017-02-22 SVG alerted to this issue by Tobias Dussa.
2017-02-22 Investigation of vulnerability and relevance to EGI carried out
2017-02-23 'Heads Up' sent to sites
2017-02-24 Updated packages available, including for Scientific Linux.
2017-02-26 Proof of concept exploit made public
2017-02-27 SVG members investigating further
2017-02-28 EGI SVG Risk Assessment completed
2017-02-28 Advisory sent to sites
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 10] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
Others may re-use this information provided they:-
1) Respect the provided TLP classification
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group
On behalf of the EGI SVG,
‘Heads up’ is available from Advisory-SVG-2017-6074