From security@guardiandigital.com Mon Jan 14 21:11:44 2002 From: EnGarde Secure Linux X-Sender: security@mastermind.inside.guardiandigital.com To: engarde-security@guardiandigital.com, bugtraq@securityfocus.com Date: Mon, 14 Jan 2002 16:50:36 -0500 (EST) Subject: [ESA-20020114-003] Several local LIDS vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +------------------------------------------------------------------------+ | EnGarde Secure Linux Security Advisory January 14, 2002 | | http://www.engardelinux.org/ ESA-20020114-003 | | | | Packages: kernel / lids-base | | Summary: There are several local vulnerabilities in the LIDS system. | +------------------------------------------------------------------------+ EnGarde Secure Linux is a secure distribution of Linux that features improved access control, host and network intrusion detection, Web based secure remote management, complete e-commerce using AllCommerce, and integrated open source security tools. OVERVIEW - -------- Recently there were several local vulnerabilities discovered in the LIDS system used by EnGarde Secure Linux which could allow an attacker to gain root, and even disable LIDS completely. DETAIL - ------ Stealth of TESO recently discovered several vulnerabilities in the LIDS (Linux Intrusion Detection System). The following is an outline of these bugs: 1) Using the LD_PRELOAD environment variable (and potentially other LD_ variables), an attacker can make programs granted specific capabilities "leak" them to unprivileged processes. For example, if there is a program granted CAP_SETUID then an attacker can gain root. 2) An attacker, who has already gained root, could write directly to the LIDS data structures in kernel memory (using /dev/kem) and effectively disable LIDS. 3) Philippe Biondi of the LIDS team also discovered that programs launched before LIDS is sealed keep full capabilities after the sealing takes place. This allows a window of opportunity for an attacker to leverage the CAP_SYS_RAWIO or CAP_SYS_MODULE capabilities. All known LIDS bugs are fixed with this release. In addition to new kernel packages, there are new 'lids-base' packages with an updated LIDS configuration to accommodate the kernel changes. All users are recommended to upgrade immediately, following the special SOLUTION outlined in this advisory. SOLUTION - -------- This information applies only to EnGarde Secure Linux Community edition users. Registered users of the EnGarde Secure Linux Professional edition can use the Guardian Digital Secure Network to upgrade their packages automatically. All users should upgrade to the most recent version as outlined in this advisory. All updates may be found at: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ http://ftp.engardelinux.org/pub/engarde/stable/updates/ Please read and understand this entire section before you attempt to upgrade the kernel. Initial Steps ------------- 1) Verify the machine is either: a) booted into a "standard" kernel; or b) LIDS is disabled (/sbin/lidsadm -S -- -LIDS_GLOBAL) 2) Determine which kernels you currently have installed: # rpm -qa --qf "%{NAME}.%{ARCH}\n" | grep kernel 3) Download the new kernels that match what you have installed (based on step 2) from the "UPDATED PACKAGES" section of this advisory. Installation Steps ------------------ 4) Install the new kernel and lids-base packages. Because of version dependencies, you MUST install both the updated kernel packages and the new lids-base package at the same time. The kernel packages will automagically update /etc/lilo.conf by commenting out any old EnGarde images and replacing them with the new ones: # rpm --replacefiles -i ... 5) The new lids-base package will automatically update your LIDS configuration to work with the new kernels. You must now re-run LILO by hand. If you see any errors then open /etc/lilo.conf in your favorite text editor and make the appropriate changes: # /sbin/lilo Final Steps ----------- 6) If you did not see any LILO errors then your new kernel is now installed and your machine is ready to be rebooted: # reboot UPDATED PACKAGES - ---------------- These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra). Source Packages: SRPMS/kernel-2.2.19-1.0.24.src.rpm MD5 Sum: 18e6a28e9b97b70e4d47693a14d5bc5d SRPMS/lids-base-0.9.15-1.0.27.src.rpm MD5 Sum: 06e4e37f90072cc02ee57ef8bc342c16 Binary Packages: i386/kernel-2.2.19-1.0.24.i386.rpm MD5 Sum: e81ed6ebea8cbbd48436dd4dca77f12b i386/kernel-lids-mods-2.2.19-1.0.24.i386.rpm MD5 Sum: 5d05f9f9bf4c18b50cb6d5bffde09218 i386/kernel-smp-lids-mods-2.2.19-1.0.24.i386.rpm MD5 Sum: 8bece6223cd528772e12cfab1599625b i386/kernel-smp-mods-2.2.19-1.0.24.i386.rpm MD5 Sum: a609eae6b7505f2827ca13611dcfa5af i686/kernel-2.2.19-1.0.24.i686.rpm MD5 Sum: de36286c504b2593814ff61505afc4fc i686/kernel-lids-mods-2.2.19-1.0.24.i686.rpm MD5 Sum: b4c1232d4f77dfb7375d842659387116 i686/kernel-smp-lids-mods-2.2.19-1.0.24.i686.rpm MD5 Sum: 4a719fcf119a553d11807c2d8a0c0b45 i686/kernel-smp-mods-2.2.19-1.0.24.i686.rpm MD5 Sum: 7d3c6094a8c1ac1e8797c04b64ad746c i386/lids-base-0.9.15-1.0.26.i386.rpm MD5 Sum: 698cb992aa428eec3e38c220043792d7 i686/lids-base-0.9.15-1.0.26.i686.rpm MD5 Sum: 337b68513574355c4c120b11b79b8726 REFERENCES - ---------- Guardian Digital's public key: http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY The LIDS Advisory Published by TESO: http://www.team-teso.org/advisories/teso-advisory-012.txt Credit for the discovery of these bugs goes to: Stealth Philippe Biondi LIDS' Official Web Site: http://www.lids.org/ Security Contact: security@guardiandigital.com EnGarde Advisories: http://www.engardelinux.org/advisories.html - -------------------------------------------------------------------------- $Id: ESA-20020114-003-lids,v 1.2 2002/01/14 21:36:46 rwm Exp $ - -------------------------------------------------------------------------- Author: Ryan W. Maple, Copyright 2002, Guardian Digital, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8Q1K8HD5cqd57fu0RAtocAKCIZmidzsXN8flTdIs3CuEUnKc0iQCfXC36 KntTvaLxrxv/sliUpQ36SmM= =00IX -----END PGP SIGNATURE-----