EGI SVG Advisories

EGI CSIRT Alert tipc-2011-01-07

** WHITE information - Unlimited distribution allowed      **
** see https://go.egi.eu/tlp for distribution restrictions **

EGI CSIRT ADVISORY [EGI-ADV-20110701]

Title:       High Risk Vulnerability CVE-2010-3859 kernel: heap overflow in tipc_msg_build()
[EGI-ADV-20110701]
Date:        January 07, 2011
Last update: January 07, 2011
URL:         https://advisories.egi.eu/CSIRT_Alerts/tipc-2011-01-07


Introduction
============

A problem in the TIPC module has been detected, with the
potential of giving any local user root privileges. This vulnerability
has been labelled CVE-2010-3859.

This vulnerability affects RHEL5 and its derivatives.

No public exploit for this issue is currently known, but the EGI CSIRT
considers this to be a high risk vulnerability.

Kernel update from Linux venders are available. Please note, the patched
kernel (kernel-2.6.18-194.32.1.el5) also addressed CVE-2010-3865 (RDS module vulnerability)

Details
=======

The tipc_msg_build() function in net/tipc/msg.c contains an exploitable kernel
heap overflow that would allow a local user to escalate privileges to root by
issuing maliciously crafted sendmsg() calls via TIPC sockets.

This issue did not affect the version of Linux kernel as shipped with Red Hat
Enterprise Linux 3, 4, 6 and Red Hat Enterprise MRG as they did not include
support for Transparent Inter-Process Communication Protocol (TIPC).

This flaw has been addressed by the following kernel version which EGI CSIRT
strongly recommends to be deployed: kernel-2.6.18-194.32.1.el5 (or later)

After upgrading (and rebooting) to the new kernel, it is still recommended to
blacklist the unused kernel module (tipc).

For sites that aren't able to update their kernel please check the
mitigation that follows in to blacklist the module.

Mitigation
==========

Most systems do not utilize TIPC and can simply block the vulnerability
by blacklisting the TIPC module (after unloading it if it is present),
for instance by running this script:

------------------

#!/bin/sh

# Unload the module

if lsmod | grep -q '^tipc '; then
  echo "TIPC was loaded"
fi
rmmod tipc 2>/dev/null
if lsmod | grep -q '^tipc '; then
  echo "FAILED to unload TIPC"
fi

# Blacklist the module
echo "blacklist tipc" >> /etc/modprobe.d/blacklist

------------------

This will take effect immediately and does NOT require a reboot. The
blacklisting will stay persistent across reboots.

Please note that if you indeed use the TIPC module the only solution is
to deploy a patched kernel.


Recommendations
===============

Linux vendors have released patched kernel. Please apply vendor kernel update as soon as possible.

Under exceptional circumstance, if you can not update the kernel, please immediately apply
the mitigation described above to all user-accessible systems.


It is recommended to keep this module blacklisted if not needed at your site, even after
updating the kernel.


References
==========
https://bugzilla.redhat.com/show_bug.cgi?id=645867
https://www.redhat.com/security/data/cve/CVE-2010-3859.html
https://rhn.redhat.com/errata/RHSA-2011-0004.html

http://listserv.fnal.gov/scripts/wa.exe?A2=ind1101&L=scientific-linux-errata&T=0&P=78

http://www.openwall.com/lists/oss-security/2010/10/22/2
http://marc.info/?l=linux-netdev&m=128770476511716&w=2