Lustre discuss - Aug 2009 - Lustre and kernel vulnerability CVE-2009-2692

Hi all,

while trying to fix the recent kernel vulnerability (CVE-2009-2692) we
found that in most cases, our Lustre 1.6.5.1, 1.6.6 and 1.6.7.2 clients
seemed to be quite well protected, at least against the published
exploit: wunderbar_emporium seems to work, but then the root shell never
appears. Instead, the client freezes, requiring a reset.
Anybody else with such experiences?

Employing the recommended workaround by setting vm.mmap_min_addr to 4096
blew up in our face: in particular machines with older kernels not
knowing about mmap_min_addr reacted quite irrationally, such as
segfaulting about every process running on the machine. Crazy things
that should not be possible ....

Regards,
Thomas

On Friday 21 August 2009, Thomas Roth wrote:
> Hi all,
>
> while trying to fix the recent kernel vulnerability (CVE-2009-2692) we
> found that in most cases, our Lustre 1.6.5.1, 1.6.6 and 1.6.7.2 clients
> seemed to be quite well protected, at least against the published
> exploit: wunderbar_emporium seems to work, but then the root shell never
> appears. Instead, the client freezes, requiring a reset.
> Anybody else with such experiences?
One version of an exploit failing is not very comforting. There are several 
exploits in the wild.
> Employing the recommended workaround by setting vm.mmap_min_addr to 4096
> blew up in our face: in particular machines with older kernels not
> knowing about mmap_min_addr reacted quite irrationally, such as
> segfaulting about every process running on the machine. Crazy things
> that should not be possible ....
I _think_ you are safe:
if (mmap_min_addr > 0 and (kernel >= 2.6.18-128.4.1 and selinux ==
disabled))

We''ve rolled out a patched kernel.

/Peter
> Regards,
> Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url :
http://lists.lustre.org/pipermail/lustre-discuss/attachments/20090821/8b4647c9/attachment.bin

On Fri, Aug 21, 2009 at 06:41:01PM +0200, Thomas Roth
wrote:
>Hi all,
>
>while trying to fix the recent kernel vulnerability (CVE-2009-2692) we
>found that in most cases, our Lustre 1.6.5.1, 1.6.6 and 1.6.7.2 clients
>seemed to be quite well protected, at least against the published
>exploit: wunderbar_emporium seems to work, but then the root shell never
>appears. Instead, the client freezes, requiring a reset.
>Anybody else with such experiences?
no freezes here.
wunderbar_emporium didn''t work against rhel/centos 2.6.18-128.4.1.el5
with patchless Lustre 1.6.7.2 after it was patched with the upstream
one-liner:
 
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e694958388c50148389b0e9b9e9e8945cf0f1b98

no idea if it was exploitable before or not - didn''t try.

RedHat''s view on this vulnerability is err, interesting... :-/
  http://kbase.redhat.com/faq/docs/DOC-18065
  https://bugzilla.redhat.com/show_bug.cgi?id=516949
>Employing the recommended workaround by setting vm.mmap_min_addr to 4096
where did you see that recommended?

the RHEL based machines I''ve looked at have this set to 64k, but if
they
are also running SELinux (which I presume few Lustre machines are?) then
they still might be vulnerable I guess.

cheers,
robin
>blew up in our face: in particular machines with older kernels not
>knowing about mmap_min_addr reacted quite irrationally, such as
>segfaulting about every process running on the machine. Crazy things
>that should not be possible ....
>
>Regards,
>Thomas
>
>
>_______________________________________________
>Lustre-discuss mailing list
>Lustre-discuss at lists.lustre.org
>http://lists.lustre.org/mailman/listinfo/lustre-discuss

Peter Kjellstrom wrote:
> On Friday 21 August 2009, Thomas Roth wrote:
>> Hi all,
>>
>> while trying to fix the recent kernel vulnerability (CVE-2009-2692) we
>> found that in most cases, our Lustre 1.6.5.1, 1.6.6 and 1.6.7.2 clients
>> seemed to be quite well protected, at least against the published
>> exploit: wunderbar_emporium seems to work, but then the root shell
never
>> appears. Instead, the client freezes, requiring a reset.
>> Anybody else with such experiences?
> 
> One version of an exploit failing is not very comforting. There are several
> exploits in the wild.
Of course not. I didn''t mean to say that Lustre clients are
invulnerable, just thought it funny that this exploit and Lustre seem to
"exclude" each other. It might mean that whatever part of the running
system is used by the exploits is also Lustre-relevant. That would be
even less comforting then.

>> Employing the recommended workaround by setting vm.mmap_min_addr to
4096
>> blew up in our face: in particular machines with older kernels not
>> knowing about mmap_min_addr reacted quite irrationally, such as
>> segfaulting about every process running on the machine. Crazy things
>> that should not be possible ....
> 
> I _think_ you are safe:
> if (mmap_min_addr > 0 and (kernel >= 2.6.18-128.4.1 and selinux ==
disabled))
> 
Well, I understood the vulnerability was present in all kernels up to
2.6.30, until the recent fixes arrived. Once you have a patched kernel,
you don''t have to bother about mmap_min_addr.


> We''ve rolled out a patched kernel.
> 
> /Peter
> 
Regards,
Thomas
>>
>>
------------------------------------------------------------------------
>>
>> _______________________________________________
>> Lustre-discuss mailing list
>> Lustre-discuss at lists.lustre.org
>> http://lists.lustre.org/mailman/listinfo/lustre-discuss