Blog Tags: 

Stack-Clash vulnerability - Reboot to enable new patched kernel

Once again, thanks to community member John Carver for highlighting a new Linux vulnerability. Qualys Security Labs discovered and demonstrated the vulnerability, and have named it "Stack-Clash".

The vulnerability affects memory management on all Linux distros as well as *nix like OS (e.g. OpenBSD, FreeBSD, Solaris). Unlike most previously reported vulnerabilities, this one is more a class of vulnerability, rather than related to a single piece of software. As such there are a range of CVE codes that relate to Stack-Clash and not all are relevant to TurnKey. As such, I'm not going to list them all, but if you're interested, please see the security advisory (the CVEs are all noted at the end of the intro)

The 2 (arguably) most important ones to TurnKey users are CVE-2017-1000364 (affecting the kernel) and CVE-2017-1000366 (affecting glibc - GNU implementation of the C standard library). These CVEs are covered in DSA-3886-1 & DSA-3887-1 respectively. Courtesy of the Debian Security team, rebuilt packages are available. They should also have already been installed by the auto security updates mechanism. However, systems will require reboot to load the updated kernel.

security: chain secured by a locked brass padlock

If auto updates fix this why do I need to know?

As per previous kernel updates, whilst the TurnKey security updates mechanism auto install all relevant security updates available from Debian, users still need to reboot the server to enable the patched kernel.

To be exploited, this vulnerability requires user access (i.e. a user account to access the machine). So in theory most TurnKey users, who do not allow additional OS user accounts should be relatively safe. This is even more-so for v14.x users as service accounts (e.g. www-data) no longer have a shell by default. However, the risk is attackers can, and often do "daisy chain" exploits. So left unpatched, they could potentially gain full control of your server!

TurnKey v14.x supported; v13.x for about 11 mths more

V14.x is fully supported and there is also a fix available for v13.x servers, the news for users of older TurnKey servers is not so good. The issue this vulnerability relates to, was introduced into the kernel some time ago and it is highly likely that v12.x and earlier versions of TurnKey are vulnerable and WILL NOT be getting a security patch. I strongly urge you to upgrade ASAP!

13.x users, please note that time is ticking. Only about 11 months of security updates remain for v13.x! If you are still running v12.x or older, then it's long past time to upgrade to a supported version. Do it yesterday! If you're running v13.x then start planning your migration now.

TKLBAM can be used to migrate to a current version, please see our docs for a suggested workflow and further considerations. Please note that it's not exhaustive. If you have issues with something not covered or not working as you'd hope, please feel post in the support forums and we'll do our best to help out.

How can I check I'm safe?

The easiest way to check that you are ok is to check the kernel version which you are running. I'll show you how to check the libc6 package (libc6 is the binary package built from the glibc source package) as well.

Unless you are using a non-standard kernel (or running a 32 bit OS), use this to check that you have the appropriate packages installed on v14.x:

apt-get update
apt-cache policy linux-image-3.16.0-4-amd64 libc6

Here's the output (of just the apt-cache command) from a local v14.1 server I have running:

linux-image-3.16.0-4-amd64:
  Installed: 3.16.43-2+deb8u1
  Candidate: 3.16.43-2+deb8u1
  Version table:
 *** 3.16.43-2+deb8u1 0
        500 http://security.debian.org/ jessie/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     3.16.43-2 0
        500 http://http.debian.net/debian/ jessie/main amd64 Packages
libc6:
  Installed: 2.19-18+deb8u10
  Candidate: 2.19-18+deb8u10
  Version table:
 *** 2.19-18+deb8u10 0
        500 http://security.debian.org/ jessie/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.19-18+deb8u9 0
        500 http://http.debian.net/debian/ jessie/main amd64 Packages

Great the auto security updates are working! :) This shows that I have the latest versions installed (I double checked against the Debian package page). v13.x users will need to check the package named 'linux-image-3.2.0-4-amd64' (i.e. 'apt-cache policy linux-image-3.2.0-4-amd64 libc6').

But wait; that's not all! You also need to be running the new kernel! To check what kernel you are currently running, do this:

uname -v
Mine returns:
#1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07)

Yowsers! Looks like I need a reboot! I'll do that straight away...

** Jeremy reboots his server **

Ok, now I've rebooted, I'll double check that I am running the new kernel. So using the same uname command again I get:

#1 SMP Debian 3.16.43-2+deb8u1 (2017-06-18)

Whew! That's better! :)

So what is it and is it fixed now?

I'm not going into the full technical detail. If you're after that, please read through the security advisory.

Essentially it is a memory management issue; where a user could break into areas of memory they shouldn't be able to. If you have installed the above fixes, then the issue has been mitigated. With the patches applied, it's totally impractical to exploit; but it's not completely resolved. We'll have to wait and see what developments there are there...

Regardless, it's always good practice to not share your log in credentials with others (add their keys if need be), and be especially vigilant about who you give shell access to.

Thanks again John!

Comments

Really useful content, much appreciated. Keep up the good work!

Pages

Add new comment