EGI CSIRT ADVISORY [EGI-ADV-20100916]
Title: CRITICAL Kernel Vulnerability: 64-bit Compatibility Mode Stack Pointer Corruption
Date: September 16, 2010
URL: https://advisories.egi.eu/CSIRT_Alerts/kernel-2010-09-16
Background
==========
A vulnerability in the 32-bit compatibility layer for 64-bit systems has
been reported. It is caused by insecure allocation of user space memory
when translating system call inputs to 64-bit. A stack pointer corruption
can occur when using the "compat_alloc_user_space" method with an
arbitrary length input. This vulnerability has been labeled
CVE-2010-3081.
A local root exploit for this issue is publically available, and has
been verified to work on at least RHEL/CentOS/SLC 5 systems. It is
likely that the vulnerability is present also on other distributions,
even if this particular exploit doesn't work on them.
Recommendations
===============
EGI CSIRT has classified this as a critical vulnerability, and all sites
should update their 64-bit machines in the EGI infrastructure as soon as
vendor kernel updates are published and available.
A kernel update for SLC5 x86_64 is expected within a few hours.
EGI CSIRT will not issue any recommendation whether to drain queues and
disable logins pending a kernel update; we defer to local site policy in
this matter.
WLCG management is aware of the issue and will accept essential and related
unscheduled downtime incurred while handling CVE-2010-3081.
References
==========
This problem was reported on 2010-09-16 by Ben Hawkes:
http://sota.gen.nz/compat1/
http://seclists.org/oss-sec/2010/q3/370
RedHat is recognizing the problem:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3081
A working local root exploit has been published on the Full Disclosure
mailing list:
http://seclists.org/fulldisclosure/2010/Sep/268