On 17/05/13 01:29, Tristan Santore wrote:
On 17/05/13 01:03, Douglas Brown wrote:
Hi all,
You may have seen this vulnerability talked about recently:
http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/
After a long time of evangelising about SELinux to my sceptical
colleagues, this seemed like the perfect opportunity to test it.
We tried the exploit with SELinux in permissive mode and it worked then
in enforcing and SELinux prevented it! Not that I'm surprised, but it's
nice to have a real-world exploit to demonstrate.
Cheers,
Doug
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
Actually, it is quite irrelevant, if the user is confined, because the
exploit can be modified to disable selinux, giving full access to the
system. Fact is, this exploit is quite nasty in that respect, as you can
pretty much modify anything.
So, in other words, it just makes the attackers life a tiny bit harder,
unless she is a script kiddie.
Regards,
Tristan
Looks like I hit the wrong reply button, so I will just say it again. As
the exploit gives access to ring0, there is nothing you cannot do with
minor code changes to the exploit.
Yes, of course one should not turn selinux off, as it is a mitigation
step and will make an attackers life a lot harder, if not impossible.
However, when you hit kernel exploits such as semtex, there is not much
you can do, but make sure you update the kernel and generally
prevent/fix other attack vectors by updating all packages.
The sysctl line below will mitigate the unmodified attack vector.
sysctl kernel.perf_event_paranoid=2
However, the author of the exploit would just rewrite the code to adapt
to this mitigation attempt.
There is now an update available:
https://rhn.redhat.com/errata/RHSA-2013-0830.html
Also, I have just received an email, which confirms the fix also has
been pushed to CEntOS mirrors.
So, this issue is now rectified across the board. If you want to play
with it and modify semtex for your own research purposes, please feel free.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore@xxxxxxxxxxxxxxxxx
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
