Date: Mon, 14 Jan 2002 16:50:36 -0500 (EST)
From: EnGarde Secure Linux <[email protected]>
To: [email protected], [email protected]Subject: [ESA-20020114-003] Several local LIDS vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory January 14, 2002 |
| http://www.engardelinux.org/ ESA-20020114-003 |
| |
| Packages: kernel / lids-base |
| Summary: There are several local vulnerabilities in the LIDS system. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
- --------
Recently there were several local vulnerabilities discovered in the LIDS
system used by EnGarde Secure Linux which could allow an attacker to
gain root, and even disable LIDS completely.
DETAIL
- ------
Stealth of TESO recently discovered several vulnerabilities in the LIDS
(Linux Intrusion Detection System). The following is an outline of
these bugs:
1) Using the LD_PRELOAD environment variable (and potentially other
LD_ variables), an attacker can make programs granted specific
capabilities "leak" them to unprivileged processes. For example,
if there is a program granted CAP_SETUID then an attacker can gain
root.
2) An attacker, who has already gained root, could write directly to
the LIDS data structures in kernel memory (using /dev/kem) and
effectively disable LIDS.
3) Philippe Biondi of the LIDS team also discovered that programs
launched before LIDS is sealed keep full capabilities after the
sealing takes place. This allows a window of opportunity for an
attacker to leverage the CAP_SYS_RAWIO or CAP_SYS_MODULE
capabilities.
All known LIDS bugs are fixed with this release. In addition to new
kernel packages, there are new 'lids-base' packages with an updated LIDS
configuration to accommodate the kernel changes. All users are
recommended to upgrade immediately, following the special SOLUTION
outlined in this advisory.
SOLUTION
- --------
This information applies only to EnGarde Secure Linux Community edition
users. Registered users of the EnGarde Secure Linux Professional
edition can use the Guardian Digital Secure Network to upgrade their
packages automatically.
All users should upgrade to the most recent version as outlined in
this advisory. All updates may be found at:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.engardelinux.org/pub/engarde/stable/updates/
Please read and understand this entire section before you attempt to
upgrade the kernel.
Initial Steps
-------------
1) Verify the machine is either:
a) booted into a "standard" kernel; or
b) LIDS is disabled (/sbin/lidsadm -S -- -LIDS_GLOBAL)
2) Determine which kernels you currently have installed:
# rpm -qa --qf "%{NAME}.%{ARCH}\n" | grep kernel
3) Download the new kernels that match what you have installed
(based on step 2) from the "UPDATED PACKAGES" section of this
advisory.
Installation Steps
------------------
4) Install the new kernel and lids-base packages. Because of version
dependencies, you MUST install both the updated kernel packages and
the new lids-base package at the same time. The kernel packages
will automagically update /etc/lilo.conf by commenting out any old
EnGarde images and replacing them with the new ones:
# rpm --replacefiles -i <kernel 1> <kernel 2> ... <lids-base>
5) The new lids-base package will automatically update your LIDS
configuration to work with the new kernels. You must now re-run
LILO by hand. If you see any errors then open /etc/lilo.conf in
your favorite text editor and make the appropriate changes:
# /sbin/lilo
Final Steps
-----------
6) If you did not see any LILO errors then your new kernel is now
installed and your machine is ready to be rebooted:
# reboot
UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).
Source Packages:
SRPMS/kernel-2.2.19-1.0.24.src.rpm
MD5 Sum: 18e6a28e9b97b70e4d47693a14d5bc5d
SRPMS/lids-base-0.9.15-1.0.27.src.rpm
MD5 Sum: 06e4e37f90072cc02ee57ef8bc342c16
Binary Packages:
i386/kernel-2.2.19-1.0.24.i386.rpm
MD5 Sum: e81ed6ebea8cbbd48436dd4dca77f12b
i386/kernel-lids-mods-2.2.19-1.0.24.i386.rpm
MD5 Sum: 5d05f9f9bf4c18b50cb6d5bffde09218
i386/kernel-smp-lids-mods-2.2.19-1.0.24.i386.rpm
MD5 Sum: 8bece6223cd528772e12cfab1599625b
i386/kernel-smp-mods-2.2.19-1.0.24.i386.rpm
MD5 Sum: a609eae6b7505f2827ca13611dcfa5af
i686/kernel-2.2.19-1.0.24.i686.rpm
MD5 Sum: de36286c504b2593814ff61505afc4fc
i686/kernel-lids-mods-2.2.19-1.0.24.i686.rpm
MD5 Sum: b4c1232d4f77dfb7375d842659387116
i686/kernel-smp-lids-mods-2.2.19-1.0.24.i686.rpm
MD5 Sum: 4a719fcf119a553d11807c2d8a0c0b45
i686/kernel-smp-mods-2.2.19-1.0.24.i686.rpm
MD5 Sum: 7d3c6094a8c1ac1e8797c04b64ad746c
i386/lids-base-0.9.15-1.0.26.i386.rpm
MD5 Sum: 698cb992aa428eec3e38c220043792d7
i686/lids-base-0.9.15-1.0.26.i686.rpm
MD5 Sum: 337b68513574355c4c120b11b79b8726
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
The LIDS Advisory Published by TESO:
http://www.team-teso.org/advisories/teso-advisory-012.txt
Credit for the discovery of these bugs goes to:
Stealth <[email protected]>
Philippe Biondi <[email protected]>
LIDS' Official Web Site:
http://www.lids.org/
Security Contact: [email protected]
EnGarde Advisories: http://www.engardelinux.org/advisories.html
- --------------------------------------------------------------------------
$Id: ESA-20020114-003-lids,v 1.2 2002/01/14 21:36:46 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <[email protected]>
Copyright 2002, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8Q1K8HD5cqd57fu0RAtocAKCIZmidzsXN8flTdIs3CuEUnKc0iQCfXC36
KntTvaLxrxv/sliUpQ36SmM=
=00IX
-----END PGP SIGNATURE-----
