EGI SVG Advisories

** WHITE information - Unlimited distribution allowed      **
** see https://go.egi.eu/tlp for distribution restrictions **

EGI ADVISORY [EGI-ADV-20150724]

Title:       **Update** EGI SVG Advisory 'Critical' risk libuser local root exploit CVE-2015-3245,
CVE-2015-3246 for RedHat and derivatives.

Date:        2015-07-24
Updated:     2015-07-30, 2015-08-06

URL:         https://advisories.egi.eu/CSIRT_Alerts/libuser-2015-07-24

Introduction
============

A vulnerability has been announced by RedHat concerning libuser [R 1],
CVE-2015-3245, CVE-2015-3246 which allows local root exploit.
Exploits which have been shown to work very easily are publicly available.

This vulnerability is present in the case of access via a local user account
and its password. Fortunately much of the access to the EGI infrastructure is
NOT via this method; so much of the EGI infrastructure is not likely to be
affected. One scenario in EGI where access is likely to be via this method is
where  User Interfaces (UIs) are made available with a local passwd file.

**Update 2015-08-06**

Even if sites do not allow access via login with a local user and password,
i.e. this feature is not enabled, sites which have libuser installed must
update if possible in order not to have a vulnerable version of libuser on
their sites.

This is to minimize the risk of accidentally exposing this vulnerability.

A patch for SL6 is now available so most sites should now be able to update.


**Update 2015-07-30**

As question on the target of the advisory were raised, sites are reminded that
this advisory applies to all system with libuser installed and thus that they
are expected to update to a non-vulnerable version. However, as for any
vulnerability, sites can apply temporary mitigation (see the recommendations)
if an update is not an option.




Details
=======

More details are available at [R 1], [R 2]

It is fairly common that people use the old-fashioned "simply rsync the passwd
and shadow files" method to distribute account information, and a likely
attacker is somebody who has managed to steal a password with a keyboard
sniffer.

Risk category
=============

This issue has been assessed as 'Critical'  by the EGI CSIRT and EGI SVG Risk
Assessment Team.


Affected software
=================

Red Hat Linux 5, 6, and 7 and their derivatives.

As far as we are aware, and from [R 2], this ONLY affects RedHat and its derivatives.


Mitigation
==========

**Update 2015-07-30**

The two possible (temporary) mitigations are:
- Disable all local accounts with local passwords (except root)  or
- Disable accesses to chsh/chfn via PAM as defined in [R1]


Component installation information
==================================

RedHat
------

For RedHat 5 this is not going to be updated as stated in [R 1].
So if using Username and password for RH 5 and its derivatives there is a need
to migrate to a more recent version of linux. In the meantime there is the
mitigation documented in [R 1].

For RedHat 6 see [R 3]

For RedHat 7 see [R 4]

**Update 2015-08-06** This patch is now available for SL6 see [R 5].

Recommendations
===============

All those who provide services which are accessed via a local username and
password must update urgently or take mitigating action.

All affected running resources MUST be either patched or otherwise have a
work-around in place by 2015-07-31  T21:00+01:00. Sites failing to act and/or
failing to respond to requests from the EGI CSIRT team risk site suspension.

**Update 2015-07-30**

Due to the absence of release of any patch for Scientific Linux 6, sites that
are not able to apply the patch are highly encouraged to apply any of the above
mitigation while waiting for the patch.

**Update 2015-08-06**

All sites which have libuser installed must update to a non-vulnerable version,
even if they do not have user login via username and password enabled.


Credit
======

SVG was alerted to this vulnerability by Leif Nixon.

References
==========

[R 1] https://access.redhat.com/articles/1537873

[R 2] http://www.openwall.com/lists/oss-security/2015/07/23/16

[R 3] https://rhn.redhat.com/errata/RHSA-2015-1482.html

[R 4] https://rhn.redhat.com/errata/RHSA-2015-1483.html

[R 5] https://www.scientificlinux.org/sl-errata/slsa-20151482-1/

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

We are currently revising the vulnerability issue handling procedure so
suggestions and comments are welcome.


Timeline
========
Yyyy-mm-dd

2015-07-23 SVG alerted to this vulnerability by Leif Nixon.
2015-07-23 Public exploit tested by Vincent Brillault, found to work easily
2015-07-23 All those who looked agreed on 'Critical' where exploitable.
2015-07-24 Advisory drafted.
2015-07-24 Advisory sent to sites
2015-07-30 Update for clarification
2015-08-06 Update as patch for SL6 is available.