Following some rather alarming news regarding a privilege escalation flaw in the Linux kernel, the DEOSS community server has just received a series of security patches. The main issue was a bug known as CVE-2010-3904. Seems that an attacker would have actualy needed local (rather than remote shell) access in order to exploit this vulnerability because it relates to the way data is moved between kernel and user space:-
“On Linux, recvmsg() style socket calls are performed using iovec structs, which allow a user to specify a base address and size for a buffer used to receive socket data. Each packet family is responsible for defining functions that copy socket data, which is received by the kernel, back to user space to allow user programs to process and handle received network data.
When performing this copying of data to user space, the RDS protocol failed to verify that the base address of a user-provided iovec struct pointed to a valid userspace address before using the __copy_to_user_inatomic() function to copy the data. As a result, by providing a kernel address as an iovec base and issuing a recvmsg() style socket call, a local user could write arbitrary data into kernel memory. This can be leveraged to escalate privileges to root.“
The Linux Kernel flaw was fixed within six days of its being reported. We feel this is actually a very good response time – far faster that is customary fixing security issues with certain proprietary operating systems!
This is the Timeline:-
2010-10-13 Vulnerability reported to Linux security team
2010-10-13 Response, agreement on disclosure date
2010-10-19 Fix publicly committed
2010-10-19 Coordinated disclosure
There was also a second less serious privilege escalation flaw (CVE-2010-3847). This is related to a bug in the library loader of the GNU C library. It seems that Red Hat Enterprise Linux (RHEL) 5 and CentOS are affected, whilst 64 bit Ubuntu 10.04 is unaffected. Ubuntu is a Debian-based OS. However it is unclear whether whether Debian itself was affected or not.
We have also routinely upgraded all the Moodle, Joomla, Coppermine, eGroupware TikiWiki and WordPress CMS’s hosted on this server and a full off-site remote backup has been undertaken both before and after the various patching and upgrading.