Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk Local Privilege Escalation via iSCSI
CVE-2021-27365 [EGI-SVG-CVE-2021-27365]
Date: 2021-03-17
Updated: 2021-04-19, 2021-06-01
Affected software and risk
==========================
CRITICAL risk vulnerability concerning Local Privilege Escalation via iSCSI
Package : Linux iSCSI
CVE ID : CVE-2021-27363, CVE-2021-27364, CVE-2021-27365
A flaw was found in the Linux kernel. A heap buffer overflow in the iSCSI
subsystem is triggered by setting an iSCSI string attribute to a value larger
than one page and then trying to read it. The highest threat from this
vulnerability is a Local Privilege Escalation to root. [R 1]
More information in [R 2], [R 3]
Actions required/recommended
============================
** UPDATE 2021-04-19 **
Updates are now available for RHEL 7, RHEL 8, [R 1] and CentOS7 [R 5].
Updates also appear to be available for Scientific Linux, as the appropriate
version of the kernel is in the repository [R 6], and notification sent [R 7]
even though the errata [R 8] has not been updated.
** UPDATE 2 2021-04-19 **
All running resources MUST be either patched or have mitigation
in place or software removed by 2021-04-27 00:00 UTC
Sites failing to act and/or failing to respond to requests from the EGI CSIRT
team risk site suspension.
Note: the iSCSI subsystem is only required on hosts that actually have some
need to interact with SCSI HW via a network.
Component installation information
==================================
Sites installing RHEL should see [R 1]
Sites installing CentOS7 should see [R 5]
Sites installing Scientific Linux should see [R 7]
Mitigation
==========
This has been copied directly from the RedHat site [R 1]
The LIBISCSI module will be auto-loaded when required, its use can be disabled
by preventing the module from loading with the following instructions:
# echo "install libiscsi /bin/true" >> /etc/modprobe.d/disable-libiscsi.conf
The system will need to be restarted if the libiscsi modules are loaded. In
most circumstances, the libiscsi kernel modules will be unable to be unloaded
while any network interfaces are active and the protocol is in use.
If the system requires iscsi to work correctly, this mitigation may not be
suitable.
More information
================
At least 1 site in the UK has carried out the mitigation, and no problems have
been experienced.
Sites may wish to try `lsmod | grep iscsi` to find out if iSCSI has been loaded
prior to carrying out the mitigation.
An update will be provided when this vulnerability has been fixed.
TLP and URL
===========
** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2021-27365
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 4]
Note that this is undergoing revision to fully handle vulnerabilities in the
EOSC-hub era.
References
==========
[R 1] https://access.redhat.com/security/cve/CVE-2021-27365
[R 2] https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
[R 3] https://nvd.nist.gov/vuln/detail/CVE-2021-27365
[R 4] https://documents.egi.eu/public/ShowDocument?docid=3145
[R 5] https://lists.centos.org/pipermail/centos-announce/2021-April/048298.html
[R 6] http://ftp.scientificlinux.org/linux/scientific/7/x86_64/updates/security/
[R 7] https://listserv.fnal.gov/scripts/wa.exe?A2=ind2104&L=SCIENTIFIC-LINUX-ERRATA&P=76
[R 8] https://www.scientificlinux.org/category/sl-errata/
Credit
======
SVG was alerted to this vulnerability by David Crooks
Timeline
========
Yyyy-mm-dd [EGI-SVG-2021-CVE-2021-27365]
2021-03-16 SVG alerted to this issue by David Crooks
2021-03-16 Acknowledgement from the EGI SVG to the reporter
2021-03-17 EGI SVG Risk Assessment completed
2021-03-17 Advisory to sites to carry out mitigation
2021-04-19 Advisory updated as relevant versions of linux have been fixed.
2021-04-19 Further update to require sites to update in 7 days.
2021-06-01 Changed to [TLP:WHITE] and placed on the wiki.
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 4] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
-----------------------------
This advisory is subject to the Creative commons licence
https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/
Software Vulnerability Group must be credited.
-----------------------------
Note that the SVG issue handling procedure is currently under review, to take
account of the increasing inhomogeneity of the EGI infrastructure and the
services in the EOSC-hub catalogue.
On behalf of the EGI SVG,