Proof is in the pudding

[Tristan Santore]

On 17/05/13 01:29, Tristan Santore wrote:
> On 17/05/13 01:03, Douglas Brown wrote:
>> Hi all,
>>
>> You may have seen this vulnerability talked about recently:
>> http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/
>>
>>
>> After a long time of evangelising about SELinux to my sceptical
>> colleagues, this seemed like the perfect opportunity to test it.
>>
>> We tried the exploit with SELinux in permissive mode and it worked then
>> in enforcing and SELinux prevented it! Not that I'm surprised, but it's
>> nice to have a real-world exploit to demonstrate.
>>
>> Cheers,
>> Doug
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
> Actually, it is quite irrelevant, if the user is confined, because the
> exploit can be modified to disable selinux, giving full access to the
> system. Fact is, this exploit is quite nasty in that respect, as you can
> pretty much modify anything.
> So, in other words, it just makes the attackers life a tiny bit harder,
> unless she is a script kiddie.
>
> Regards,
> Tristan
>
Looks like I hit the wrong reply button, so I will just say it again. As 
the exploit gives access to ring0, there is nothing you cannot do with 
minor code changes to the exploit.

Yes, of course one should not turn selinux off, as it is a mitigation 
step and will make an attackers life a lot harder, if not impossible.
However, when you hit kernel exploits such as semtex, there is not much 
you can do, but make sure you update the kernel and generally 
prevent/fix other attack vectors by updating all packages.

The sysctl line below will mitigate the unmodified attack vector.

sysctl kernel.perf_event_paranoid=2

However, the author of the exploit would just rewrite the code to adapt 
to this mitigation attempt.

There is now an update available:
https://rhn.redhat.com/errata/RHSA-2013-0830.html

Also, I have just received an email, which confirms the fix also has 
been pushed to CEntOS mirrors.

So, this issue is now rectified across the board. If you want to play 
with it and modify semtex for your own research purposes, please feel free.

Regards,
Tristan

-- 
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore at fedoraproject.org