Документ взят из кэша поисковой машины. Адрес оригинального документа : http://theory.sinp.msu.ru/pipermail/ru-ngi/2015q3/001611.html
Дата изменения: Fri Jul 31 22:46:49 2015
Дата индексирования: Sun Apr 10 18:24:24 2016
Кодировка:
[RU-NGI] Fwd: [Noc-managers] **Update** EGI SVG Advisory 'Critical' risk libuser local root exploit CVE-2015-3245, CVE-2015-3246 for RedHat and derivatives.

[RU-NGI] Fwd: [Noc-managers] **Update** EGI SVG Advisory 'Critical' risk libuser local root exploit CVE-2015-3245, CVE-2015-3246 for RedHat and derivatives.

Alexander Kryukov kryukov at theory.sinp.msu.ru
Thu Jul 30 18:59:31 MSK 2015 

FYI


-------- Forwarded Message --------
Subject: [Noc-managers] **Update** EGI SVG Advisory 'Critical' risk 
libuser local root exploit CVE-2015-3245, CVE-2015-3246 for RedHat and 
derivatives.
Date: Thu, 30 Jul 2015 13:21:32 +0000
From: linda.cornwall at stfc.ac.uk
To: site-security-contacts at mailman.egi.eu, 
ngi-security-contacts at mailman.egi.eu, noc-managers at mailman.egi.eu
CC: svg-rat at mailman.egi.eu, csirt at mailman.egi.eu

** WHITE information - Unlimited distribution allowed 
     **

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution 
restrictions **

EGI ADVISORY [EGI-ADV-20150724]

Title:       **Update** EGI SVG Advisory 'Critical' risk libuser local 
root exploit CVE-2015-3245, CVE-2015-3246 for RedHat and derivatives.

Date:        2015-07-24
Updated:     2015-07-30

URL:         https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/libuser-2015-07-24

Introduction
============

A vulnerability has been announced by RedHat concerning libuser [R 1], 
CVE-2015-3245,  CVE-2015-3246 which allows local root exploit. Exploits 
which have been shown to work very easily are publicly available.

This vulnerability is present in the case of access via a local user 
account and its password. Fortunately much of the access to the EGI 
infrastructure is NOT via this method; so much of the EGI infrastructure 
is not likely to be affected.

However, if access via login with a local user and password is enabled, 
then sites should act quickly to update.  One scenario in EGI where 
access is likely to be via this method is where  User Interfaces (UIs) 
are made available with a local passwd file.

**Update 2015-07-30**

As question on the target of the advisory were raised, sites are 
reminded that this advisory applies to all system with libuser installed 
and thus that they are expected to update to a non-vulnerable version.
However, as for any vulnerability, sites can apply temporary mitigation 
(see the recommendations) if an update is not an option.


Details
=======

More details are available at [R 1], [R 2]

It is fairly common that people use the old-fashioned "simply rsync the 
passwd and shadow files" method to distribute account information, and a 
likely attacker is somebody who has managed to steal a password with a 
keyboard sniffer.

Risk category
=============

This issue has been assessed as 'Critical'  by the EGI CSIRT and EGI SVG 
Risk Assessment Team.


Affected software
=================

Red Hat Linux 5, 6, and 7 and their derivatives.

As far as we are aware, and from [R 2], this ONLY affects RedHat and its 
derivatives.


Mitigation
==========

**Update 2015-07-30**

The two possible (temporary) mitigations are:
- Disable all local accounts with local passwords (except root)  or
- Disable accesses to chsh/chfn via PAM as defined in [R1]


Component installation information
==================================

RedHat
------

For RedHat 5 this is not going to be updated as stated in [R 1]. So if 
using Username and password for RH 5 and its derivatives there is a need 
to migrate to a more recent version of linux. In the meantime there is 
the mitigation documented in [R 1].

For RedHat 6 see [R 3]

For RedHat 7 see [R 4]

**Update 2015-07-30** This patch is not yet available in SL6.

Recommendations
===============

All those who provide services which are accessed via a local username 
and password must update urgently or take mitigating action.

All affected running resources MUST be either patched or otherwise have 
a work-around in place by 2015-07-31  T21:00+01:00. Sites failing to act 
and/or failing to respond to requests from the EGI CSIRT team risk site 
suspension.

**Update 2015-07-30**

Due to the absence of release of any patch for Scientific Linux 6, sites 
that are not able to apply the patch are highly encouraged to apply any 
of the above mitigation while waiting for the patch.


Credit
======

SVG was alerted to this vulnerability by Leif Nixon.

References
==========

[R 1] https://access.redhat.com/articles/1537873

[R 2] http://www.openwall.com/lists/oss-security/2015/07/23/16

[R 3] https://rhn.redhat.com/errata/RHSA-2015-1482.html

[R 4] https://rhn.redhat.com/errata/RHSA-2015-1483.html



Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

We are currently revising the vulnerability issue handling procedure so 
suggestions and comments are welcome.


Timeline
========
Yyyy-mm-dd

2015-07-23 SVG alerted to this vulnerability by Leif Nixon.
2015-07-23 Public exploit tested by Vincent Brillault, found to work easily
2015-07-23 All those who looked agreed on 'Critical' where exploitable.
2015-07-24 Advisory drafted.
2015-07-24 Advisory sent to sites
2015-07-30 Update for clarification

------------------------------------------------------------------
Dr Linda Cornwall,
Particle Physics Department,
STFC Rutherford Appleton Laboratory,
Harwell Oxford,
DIDCOT,
OX11 OQX,
United Kingdom

E-mail  Linda.Cornwall at stfc.ac.uk
Tel.    +44 (0) 1235 44 6138
Skype   linda.ann.cornwall


_______________________________________________
Noc-managers mailing list
Noc-managers at mailman.egi.eu
https://mailman.egi.eu/mailman/listinfo/noc-managers

-- 
A.Kryukov, PhD
Head of laboratory, SINP MSU
Phone: +7 495 939-3156

More information about the RU-NGI mailing list