grsecurity 2.1.2 released for 2.4.29/2.6.11 *CRITICAL UPDATE* (privilege elevation)
grsecurity 2.1.2 has been released today for the 2.4.29 and 2.6.11 kernels. This is a critical release, and all users of grsecurity are strongly urged to upgrade as soon as possible. Changes in this release include the removal of RANDEXEC from the configuration, a fix for the unsafe terminal false positive, the ability to use hostnames instead of IPs in the RBAC policy file, the removal of the randomized TCP ISN, RPC XID, and IP ID code, since they added no greater security that what Linux currently provides, more consistent log messages, and PaX updates. Of particular importance is a fix for an exploitable vulnerability in PaX that exists if the SEGMEXEC or RANDEXEC features are enabled. The vulnerability was found yesterday by the PaX team during an audit of their code. Though remote exploitation of the vulnerability is very unlikely, it can be abused locally to compromise the system. If you have grsecurity configured in the LOW or MEDIUM settings, you are not vulnerable. To mitigate some of the risk imposed by the vulnerability until you can patch your machines, echo "0 0" > /proc/sys/vm/pagetable_cache
The PaX team's advisory is available here.
The 2.6.11 patch has been updated to contain the compile fixes and Dell keyboard fix in 2.6.11.1.
The PaX team's advisory is available here.
The 2.6.11 patch has been updated to contain the compile fixes and Dell keyboard fix in 2.6.11.1.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PaX privilege elevation security bug
Severity: critical
Description: unprivileged users can execute arbitrary code with
the privileges of the target in any program they or
other users can execute
it is definitely exploitable for local users,
remote exploitability depends on how much control
one can have over executable file mappings in the
target
Affected
versions: all releases since 2003 September
(when vma mirroring was introduced)
Affected
configurations: anyone having SEGMEXEC or RANDEXEC (vma mirroring)
in the kernel's .config file
Fixed versions: patches released today, see http://pax.grsecurity.net
Mitigation: echo "0 0" > /proc/sys/vm/pagetable_cache
this will eliminate the obvious exploit vector only,
patching is still unavoidable
Technical details will be posted to the dailydave mailing list,
probably early next week.
This is a spectacular ****up, it pretty much destroys what PaX has
always stood and been trusted for. For this and other reasons, PaX
will be terminated on 1st April, 2005, a fitting date... Brad Spengler
offered to take it up but if you're interested in helping as well,
contact pageexec at freemail.hu.
Hash: SHA1
PaX privilege elevation security bug
Severity: critical
Description: unprivileged users can execute arbitrary code with
the privileges of the target in any program they or
other users can execute
it is definitely exploitable for local users,
remote exploitability depends on how much control
one can have over executable file mappings in the
target
Affected
versions: all releases since 2003 September
(when vma mirroring was introduced)
Affected
configurations: anyone having SEGMEXEC or RANDEXEC (vma mirroring)
in the kernel's .config file
Fixed versions: patches released today, see http://pax.grsecurity.net
Mitigation: echo "0 0" > /proc/sys/vm/pagetable_cache
this will eliminate the obvious exploit vector only,
patching is still unavoidable
Technical details will be posted to the dailydave mailing list,
probably early next week.
This is a spectacular ****up, it pretty much destroys what PaX has
always stood and been trusted for. For this and other reasons, PaX
will be terminated on 1st April, 2005, a fitting date... Brad Spengler
offered to take it up but if you're interested in helping as well,
contact pageexec at freemail.hu.
Uh oh....
