__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Redhat Linux 'sysctl, ptrace, mxcsr P4' Vulnerability February 12, 2001 17:00 GMT Number L-045 ______________________________________________________________________________ PROBLEM: Security vulnerabilities exist in the kernel routines "sysctl, ptrace, and mxcsr P4" which allow privilege escalation and the capability to affect system operation. PLATFORM: Red Hat Linux 6.x: alpha, i386, i586, i686, sparc, sparc64 Red Hat Linux 7.0: alpha, i386, i586, i686 DAMAGE: A local user can use the 'ptrace' and sysctl' vulnerabilities to compromise the root account. The 'mxcsr P4' vulnerability allows a user with shell access the capability of halting the CPU. This would create a Denial of Service (DoS) to other users on the system. SOLUTION: All users are advised to upgrade to kernel-2.2.17-14. Follow the directions listed in the advisory. There are also updated drivers available for the new kernel in new RPM updates. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM for these vulnerabilities. The exploits can only be accomplished from a local user account. ______________________________________________________________________________ [****** Begin Redhat Advisory ******] --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Three security holes fixed in new kernel Advisory ID: RHSA-2001:013-05 Issue date: 2001-02-08 Updated on: 2001-02-08 Product: Red Hat Linux Keywords: sysctl ptrace mxcsr P4 Cross references: Obsoletes: --------------------------------------------------------------------- 1. Topic: Three security holes fixed in new kernel, and several other updates and bug fixes have been applied as well. 2. Relevant releases/architectures: Red Hat Linux 6.x - alpha, i386, i586, i686, sparc, sparc64 Red Hat Linux 7.0 - alpha, i386, i586, i686 3. Problem description: Three security holes have been fixed in the kernel. One involves ptrace, another involves sysctl, and the last is specific to some Intel CPUs. All three security holes involve local access only (they do not provide a hole to remote attackers without a local account). The ptrace and sysctl bugs provide local users with the potential to compromise the root account. Neither has an active exploit available at the time of this writing. The last security hole is a DOS (Denial Of Service) that does not provide access to the root account but does allow any user with shell access the ability to halt the CPU. All users are strongly recommended to upgrade. In addition to the security fixes, these kernels contain more advanced support for the Intel Pentium 4 processors, as well as a number of driver updates. These updates include e100, sis900, cs46xx, qla1x160, qla2x00, ServeRAID, and ipvs. In addition, a number of other bugs have been fixed. Most notably, the RAW I/O facility could corrupt data under certain usage patterns. 4. Solution: Upgrade to kernel-2.2.17-14 The procedure for upgrading the kernel is documented at: http://www.redhat.com/support/docs/howto/kernel-upgrade/kernel-upgrade.html Please read the directions for your architecture carefully before proceeding with the kernel upgrade. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 24737 - make oldconfig on SMP Alphas 21514 - problem with module sis900.o 21654 - PANIC: failed to set gid 6. RPMs required: Red Hat Linux 6.x: SRPMS: ftp://updates.redhat.com/6.2/SRPMS/kernel-2.2.17-14.src.rpm alpha: ftp://updates.redhat.com/6.2/alpha/kernel-2.2.17-14.alpha.rpm ftp://updates.redhat.com/6.2/alpha/kernel-smp-2.2.17-14.alpha.rpm ftp://updates.redhat.com/6.2/alpha/kernel-enterprise-2.2.17-14.alpha.rpm ftp://updates.redhat.com/6.2/alpha/kernel-BOOT-2.2.17-14.alpha.rpm ftp://updates.redhat.com/6.2/alpha/kernel-source-2.2.17-14.alpha.rpm ftp://updates.redhat.com/6.2/alpha/kernel-doc-2.2.17-14.alpha.rpm ftp://updates.redhat.com/6.2/alpha/kernel-utils-2.2.17-14.alpha.rpm ftp://updates.redhat.com/6.2/alpha/kernel-headers-2.2.16-3.alpha.rpm i386: ftp://updates.redhat.com/6.2/i386/kernel-2.2.17-14.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-smp-2.2.17-14.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-BOOT-2.2.17-14.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-pcmcia-cs-2.2.17-14.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-ibcs-2.2.17-14.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-source-2.2.17-14.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-doc-2.2.17-14.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-utils-2.2.17-14.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-headers-2.2.16-3.i386.rpm i586: ftp://updates.redhat.com/6.2/i586/kernel-2.2.17-14.i586.rpm ftp://updates.redhat.com/6.2/i586/kernel-smp-2.2.17-14.i586.rpm i686: ftp://updates.redhat.com/6.2/i686/kernel-2.2.17-14.i686.rpm ftp://updates.redhat.com/6.2/i686/kernel-smp-2.2.17-14.i686.rpm ftp://updates.redhat.com/6.2/i686/kernel-enterprise-2.2.17-14.i686.rpm sparc: ftp://updates.redhat.com/6.2/sparc/kernel-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-smp-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-smp-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-enterprise-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-enterprise-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-BOOT-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-BOOT-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-source-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-doc-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-utils-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-headers-2.2.16-3.sparc.rpm sparc64: ftp://updates.redhat.com/6.2/sparc64/kernel-2.2.17-14.sparc64.rpm ftp://updates.redhat.com/6.2/sparc64/kernel-smp-2.2.17-14.sparc64.rpm ftp://updates.redhat.com/6.2/sparc64/kernel-enterprise-2.2.17-14.sparc64.rpm ftp://updates.redhat.com/6.2/sparc64/kernel-BOOT-2.2.17-14.sparc64.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/SRPMS/kernel-2.2.17-14.src.rpm alpha: ftp://updates.redhat.com/7.0/alpha/kernel-2.2.17-14.alpha.rpm ftp://updates.redhat.com/7.0/alpha/kernel-smp-2.2.17-14.alpha.rpm ftp://updates.redhat.com/7.0/alpha/kernel-enterprise-2.2.17-14.alpha.rpm ftp://updates.redhat.com/7.0/alpha/kernel-BOOT-2.2.17-14.alpha.rpm ftp://updates.redhat.com/7.0/alpha/kernel-source-2.2.17-14.alpha.rpm ftp://updates.redhat.com/7.0/alpha/kernel-doc-2.2.17-14.alpha.rpm ftp://updates.redhat.com/7.0/alpha/kernel-utils-2.2.17-14.alpha.rpm i386: ftp://updates.redhat.com/7.0/i386/kernel-2.2.17-14.i386.rpm ftp://updates.redhat.com/7.0/i386/kernel-smp-2.2.17-14.i386.rpm ftp://updates.redhat.com/7.0/i386/kernel-BOOT-2.2.17-14.i386.rpm ftp://updates.redhat.com/7.0/i386/kernel-pcmcia-cs-2.2.17-14.i386.rpm ftp://updates.redhat.com/7.0/i386/kernel-ibcs-2.2.17-14.i386.rpm ftp://updates.redhat.com/7.0/i386/kernel-source-2.2.17-14.i386.rpm ftp://updates.redhat.com/7.0/i386/kernel-doc-2.2.17-14.i386.rpm ftp://updates.redhat.com/7.0/i386/kernel-utils-2.2.17-14.i386.rpm i586: ftp://updates.redhat.com/7.0/i586/kernel-2.2.17-14.i586.rpm ftp://updates.redhat.com/7.0/i586/kernel-smp-2.2.17-14.i586.rpm i686: ftp://updates.redhat.com/7.0/i686/kernel-2.2.17-14.i686.rpm ftp://updates.redhat.com/7.0/i686/kernel-smp-2.2.17-14.i686.rpm ftp://updates.redhat.com/7.0/i686/kernel-enterprise-2.2.17-14.i686.rpm 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 0fbeeba0bdcb5b7d97928726d81a48d5 6.2/SRPMS/kernel-2.2.17-14.src.rpm 94a66e9957b5f6183cd2048c37d627e6 6.2/alpha/kernel-2.2.17-14.alpha.rpm 4c2de8af30a1f0e7a5df3e0c327ce012 6.2/alpha/kernel-BOOT-2.2.17-14.alpha.rpm bf44ed30edb776903e362203ed7c790d 6.2/alpha/kernel-doc-2.2.17-14.alpha.rpm ae5cda1426dac598d372da0412ec3396 6.2/alpha/kernel-enterprise-2.2.17-14.alpha.rpm 1555c9e448523f168ba37423c912d96f 6.2/alpha/kernel-headers-2.2.16-3.alpha.rpm 12bffd53a573138c5f307d5debc7032b 6.2/alpha/kernel-smp-2.2.17-14.alpha.rpm accd11c1a755f9ddbccaa3b78868c22d 6.2/alpha/kernel-source-2.2.17-14.alpha.rpm 28c6d9fb21ad9000ae4014a32c8b7ee0 6.2/alpha/kernel-utils-2.2.17-14.alpha.rpm b32465d6af49869d91165754c4f417b2 6.2/i386/kernel-2.2.17-14.i386.rpm e684d42f07694423d2ca7545dd941607 6.2/i386/kernel-BOOT-2.2.17-14.i386.rpm 458aacd81c6901c5b12e2694d61cef51 6.2/i386/kernel-doc-2.2.17-14.i386.rpm cb7f09603ffde7c618ebfe25bf137994 6.2/i386/kernel-headers-2.2.16-3.i386.rpm 1dd67a1bdd6828fc5e68a01ce0941680 6.2/i386/kernel-ibcs-2.2.17-14.i386.rpm 5e68fbca7e26bc9007563f33f5faab7a 6.2/i386/kernel-pcmcia-cs-2.2.17-14.i386.rpm 1a7c5b4577a1e9cf279814ed8671bc33 6.2/i386/kernel-smp-2.2.17-14.i386.rpm 7b8467c5be0d394e40b426260f401735 6.2/i386/kernel-source-2.2.17-14.i386.rpm d0a17158357d0825da13565114301a26 6.2/i386/kernel-utils-2.2.17-14.i386.rpm 9345ff97a923baf3d3f9b5898115407c 6.2/i586/kernel-2.2.17-14.i586.rpm 1a2e9c58b1287d59a02a2302c67d25ee 6.2/i586/kernel-smp-2.2.17-14.i586.rpm e76faf7322d2cb16db6d68a4f26d0615 6.2/i686/kernel-2.2.17-14.i686.rpm 4d3838de0d64a73628a075cd31306ab5 6.2/i686/kernel-enterprise-2.2.17-14.i686.rpm 19a6315c05d73b612307c4083d84aa1f 6.2/i686/kernel-smp-2.2.17-14.i686.rpm 821850c50fc5bd4d4b12a70cd169c1a9 6.2/sparc/kernel-2.2.17-14.sparc.rpm 5afc4883572aa658aeb2b3f6e81795fe 6.2/sparc/kernel-BOOT-2.2.17-14.sparc.rpm e64efcf1d5e1f3c89e019e74c2f807b3 6.2/sparc/kernel-doc-2.2.17-14.sparc.rpm 1fd07fb2a3e5fb195994d46c52a2e3f3 6.2/sparc/kernel-enterprise-2.2.17-14.sparc.rpm 28ef48469ef0d6979c3b6fdfff417a94 6.2/sparc/kernel-headers-2.2.16-3.sparc.rpm 74b02c35181f4c124948dc7857a812a7 6.2/sparc/kernel-smp-2.2.17-14.sparc.rpm f29edc673e900e2e4b5b2dab4c936229 6.2/sparc/kernel-source-2.2.17-14.sparc.rpm 57d7bbf1a67c88bc045cc967acbaa835 6.2/sparc/kernel-utils-2.2.17-14.sparc.rpm b966c86487d3b4363b0006d4967cc6f5 6.2/sparc64/kernel-2.2.17-14.sparc64.rpm 60785d7a36dda52e8309ee8db16bc507 6.2/sparc64/kernel-BOOT-2.2.17-14.sparc64.rpm ec43d4f425cc694cb094f4bb4411718a 6.2/sparc64/kernel-enterprise-2.2.17- 14.sparc64.rpm 4926009e503b50e479e4a91c33a40b6d 6.2/sparc64/kernel-smp-2.2.17-14.sparc64.rpm ec73ecb5087782190aa87c6de38f1944 7.0/SRPMS/kernel-2.2.17-14.src.rpm 16836dc9b811aa920f27b9f4645c77d2 7.0/alpha/kernel-2.2.17-14.alpha.rpm 30805edc55754b6b5823c14adeadaed6 7.0/alpha/kernel-BOOT-2.2.17-14.alpha.rpm 4f4f52c13a014d9a3241ef65b097735b 7.0/alpha/kernel-doc-2.2.17-14.alpha.rpm e51a30641955a2f1d74e7946cd1ec848 7.0/alpha/kernel-enterprise-2.2.17-14.alpha.rpm cce161a3ca87b6a6fd913f0edfc1571e 7.0/alpha/kernel-smp-2.2.17-14.alpha.rpm 6416073893f16f2a4f665a05be9ec2e1 7.0/alpha/kernel-source-2.2.17-14.alpha.rpm d1722cd0fbc15d45d5f0da21bc527b49 7.0/alpha/kernel-utils-2.2.17-14.alpha.rpm c98c5a8f5cf6e2cd95498123d364254a 7.0/i386/kernel-2.2.17-14.i386.rpm 68eb1561679fa6a2591f24717b3b9b97 7.0/i386/kernel-BOOT-2.2.17-14.i386.rpm 50d5d81d798073ea9c16324ccda95921 7.0/i386/kernel-doc-2.2.17-14.i386.rpm d7294666ff8f97a063f533100425ae83 7.0/i386/kernel-ibcs-2.2.17-14.i386.rpm 43885937a0b912dd56bb562f578f63a2 7.0/i386/kernel-pcmcia-cs-2.2.17-14.i386.rpm 0dcf34126e88dfbee8bd0f79a2e7089f 7.0/i386/kernel-smp-2.2.17-14.i386.rpm f4d428e89aaa6a78c3714cc554f92ce5 7.0/i386/kernel-source-2.2.17-14.i386.rpm c1c1adfec112d216e15a939a708c3c12 7.0/i386/kernel-utils-2.2.17-14.i386.rpm 89fa2189731d4053e966e7559ae525f1 7.0/i586/kernel-2.2.17-14.i586.rpm adb2fd91b3283711ac25c719eb612058 7.0/i586/kernel-smp-2.2.17-14.i586.rpm 78db07ab97326c16586379f1a6cb95c6 7.0/i686/kernel-2.2.17-14.i686.rpm b78434588b1dd4a184169a483fadfb77 7.0/i686/kernel-enterprise-2.2.17-14.i686.rpm 0cfa860325f25ef78e192beee8a66a3c 7.0/i686/kernel-smp-2.2.17-14.i686.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 8. References: Thanks to Solar Designer for finding the sysctl bug, and for the versions of the sysctl and ptrace patches we used. Copyright(c) 2000, 2001 Red Hat, Inc. [****** End Redhat Advisory ******] CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-035: HP-UX Support Tools Manager Vulnerability L-036: FreeBSD procfs Vulnerabilities L-037: FreeBSD periodic Uses Insecure Temporary Files L-038: FreeBSD inetd ident Server Vulnerability L-039: FreeBSD sort Uses Insecure Temporary Files L-040: The Ramen Worm L-041: Microsoft Hotfix Packaging Anomalies L-042: Compaq Web-enabled Management Software Buffer Overflow L-043: Microsoft NTLMSSP Privilege Elevation Vulnerability l-044: Microsoft.Network.DDE.Agent.Request.Vulnerability.txt