[Bug 1031301] Re: Exploit for unpatched CVE reported in wild.

Marc Deslauriers marc.deslauriers at canonical.com
Fri Aug 3 13:46:39 UTC 2012 

** Visibility changed to: Public

** This bug is no longer flagged as a security vulnerability

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3404

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3405

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3406

** Also affects: glibc (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: eglibc (Ubuntu)
       Status: New => Confirmed

** Changed in: glibc (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/1031301

Title:
  Exploit for unpatched CVE reported in wild.

Status in “eglibc” package in Ubuntu:
  Confirmed
Status in “glibc” package in Ubuntu:
  Confirmed

Bug description:
  CVEs are as follows:

  CVE-2012-3404
  CVE-2012-3405
  CVE-2012-3406

  lsb_release -rd
  Description:	Ubuntu 10.04.3 LTS
  Release:	10.04

  Package: libc6 (2.11.1-0ubuntu7.10)

  Details of the bugs are here upstream:

  http://www.openwall.com/lists/oss-security/2012/07/11/17

  We received reports from a colleague at another University that they
  have suffered a root compromise as a result of one of these CVEs,
  which I notice do not appear to be fixed yet in Ubuntu. They are
  running Scientific Linux 6 rather than Ubuntu, so can't be directly
  compared

  Debian appear to have fixes out for 2 of the 3 CVEs
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681473

  They considered the security risk low, but I have reports of exploits
  in the wild.

  The details I have so far from my colleague are as follows:

  
  09:49 < DaveAG> Was it RHSA-2012:1098-1 you reckon bit you?
  09:49 < colleague> erm, one of CVE-2012-3404, CVE-2012-3405, CVE-2012-3406
  09:49 < colleague> I don't have an RHSA number to hand since this is SL
  09:50 < DaveAG> Yeah, that RHSA lists those 3 CVEs
  09:51 < colleague> Announced on the 18th July, we got done on 26th, that's scarily quick
  09:52 < colleague> There must be an exploit specifically related to use of /bin/mount
  09:53 < colleague> Lovely that with auditd running we immediately were able to spot which suid had been used to get root
  09:53 < colleague> and the lack of command line arguments to the command meant it had to be done using the environment to change the way the output was formatted
  09:57 < colleague> oh, and blocking the loading of kernel modules helped a lot
  09:57 < colleague> It forced the attacker into trying something much more difficult which crashed the kernel.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1031301/+subscriptions

More information about the foundations-bugs mailing list