如何修補和保護 Linux 內核堆棧衝突漏洞 CVE-2017-1000364
Qualys 研究實驗室在 GNU C Library(CVE-2017-1000366)的動態鏈接器中發現了許多問題,它們通過與 Linux 內核內的堆棧衝突來允許本地特權升級。這個 bug 影響到了 i386 和 amd64 上的 Linux、OpenBSD、NetBSD、FreeBSD 和 Solaris。攻擊者可以利用它來破壞內存數據並執行任意代碼。
什麼是 CVE-2017-1000364 bug?
在用戶空間二進位文件的堆棧中分配內存的方式發現了一個缺陷。如果堆(或不同的內存區域)和堆棧內存區域彼此相鄰,則攻擊者可以使用此缺陷跳過堆棧保護區域,從而導致進程堆棧或相鄰內存區域的受控內存損壞,從而增加其系統許可權。有一個在內核中減輕這個漏洞的方法,將堆棧保護區域大小從一頁增加到 1 MiB,從而使成功利用這個功能變得困難。
計算機上運行的每個程序都使用一個稱為堆棧的特殊內存區域。這個內存區域是特別的,因為當程序需要更多的堆棧內存時,它會自動增長。但是,如果它增長太多,並且與另一個內存區域太接近,程序可能會將堆棧與其他內存區域混淆。攻擊者可以利用這種混亂來覆蓋其他內存區域的堆棧,或者反過來。
受到影響的 Linux 發行版
- Red Hat Enterprise Linux Server 5.x
- Red Hat Enterprise Linux Server 6.x
- Red Hat Enterprise Linux Server 7.x
- CentOS Linux Server 5.x
- CentOS Linux Server 6.x
- CentOS Linux Server 7.x
- Oracle Enterprise Linux Server 5.x
- Oracle Enterprise Linux Server 6.x
- Oracle Enterprise Linux Server 7.x
- Ubuntu 17.10
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 12.04 ESM (Precise Pangolin)
- Debian 9 stretch
- Debian 8 jessie
- Debian 7 wheezy
- Debian unstable
- SUSE Linux Enterprise Desktop 12 SP2
- SUSE Linux Enterprise High Availability 12 SP2
- SUSE Linux Enterprise Live Patching 12
- SUSE Linux Enterprise Module for Public Cloud 12
- SUSE Linux Enterprise Build System Kit 12 SP2
- SUSE Openstack Cloud Magnum Orchestration 7
- SUSE Linux Enterprise Server 11 SP3-LTSS
- SUSE Linux Enterprise Server 11 SP4
- SUSE Linux Enterprise Server 12 SP1-LTSS
- SUSE Linux Enterprise Server 12 SP2
- SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
我需要重啟我的電腦么?
是的,由於大多數服務依賴於 GNU C Library 的動態連接器,並且內核自身需要在內存中重新載入。
我該如何在 Linux 中修復 CVE-2017-1000364?
根據你的 Linux 發行版來輸入命令。你需要重啟電腦。在應用補丁之前,記下你當前內核的版本:
$ uname -a
$ uname -mrs
示例輸出:
Linux 4.4.0-78-generic x86_64
Debian 或者 Ubuntu Linux
輸入下面的 apt 命令 / apt-get 命令來應用更新:
$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
示例輸出:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
libc-bin libc-dev-bin libc-l10n libc6 libc6-dev libc6-i386 linux-compiler-gcc-6-x86 linux-headers-4.9.0-3-amd64 linux-headers-4.9.0-3-common linux-image-4.9.0-3-amd64
linux-kbuild-4.9 linux-libc-dev locales multiarch-support
14 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/62.0 MB of archives.
After this operation, 4,096 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Reading changelogs... Done
Preconfiguring packages ...
(Reading database ... 115123 files and directories currently installed.)
Preparing to unpack .../libc6-i386_2.24-11+deb9u1_amd64.deb ...
Unpacking libc6-i386 (2.24-11+deb9u1) over (2.24-11) ...
Preparing to unpack .../libc6-dev_2.24-11+deb9u1_amd64.deb ...
Unpacking libc6-dev:amd64 (2.24-11+deb9u1) over (2.24-11) ...
Preparing to unpack .../libc-dev-bin_2.24-11+deb9u1_amd64.deb ...
Unpacking libc-dev-bin (2.24-11+deb9u1) over (2.24-11) ...
Preparing to unpack .../linux-libc-dev_4.9.30-2+deb9u1_amd64.deb ...
Unpacking linux-libc-dev:amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ...
Preparing to unpack .../libc6_2.24-11+deb9u1_amd64.deb ...
Unpacking libc6:amd64 (2.24-11+deb9u1) over (2.24-11) ...
Setting up libc6:amd64 (2.24-11+deb9u1) ...
(Reading database ... 115123 files and directories currently installed.)
Preparing to unpack .../libc-bin_2.24-11+deb9u1_amd64.deb ...
Unpacking libc-bin (2.24-11+deb9u1) over (2.24-11) ...
Setting up libc-bin (2.24-11+deb9u1) ...
(Reading database ... 115123 files and directories currently installed.)
Preparing to unpack .../multiarch-support_2.24-11+deb9u1_amd64.deb ...
Unpacking multiarch-support (2.24-11+deb9u1) over (2.24-11) ...
Setting up multiarch-support (2.24-11+deb9u1) ...
(Reading database ... 115123 files and directories currently installed.)
Preparing to unpack .../0-libc-l10n_2.24-11+deb9u1_all.deb ...
Unpacking libc-l10n (2.24-11+deb9u1) over (2.24-11) ...
Preparing to unpack .../1-locales_2.24-11+deb9u1_all.deb ...
Unpacking locales (2.24-11+deb9u1) over (2.24-11) ...
Preparing to unpack .../2-linux-compiler-gcc-6-x86_4.9.30-2+deb9u1_amd64.deb ...
Unpacking linux-compiler-gcc-6-x86 (4.9.30-2+deb9u1) over (4.9.30-2) ...
Preparing to unpack .../3-linux-headers-4.9.0-3-amd64_4.9.30-2+deb9u1_amd64.deb ...
Unpacking linux-headers-4.9.0-3-amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ...
Preparing to unpack .../4-linux-headers-4.9.0-3-common_4.9.30-2+deb9u1_all.deb ...
Unpacking linux-headers-4.9.0-3-common (4.9.30-2+deb9u1) over (4.9.30-2) ...
Preparing to unpack .../5-linux-kbuild-4.9_4.9.30-2+deb9u1_amd64.deb ...
Unpacking linux-kbuild-4.9 (4.9.30-2+deb9u1) over (4.9.30-2) ...
Preparing to unpack .../6-linux-image-4.9.0-3-amd64_4.9.30-2+deb9u1_amd64.deb ...
Unpacking linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ...
Setting up linux-libc-dev:amd64 (4.9.30-2+deb9u1) ...
Setting up linux-headers-4.9.0-3-common (4.9.30-2+deb9u1) ...
Setting up libc6-i386 (2.24-11+deb9u1) ...
Setting up linux-compiler-gcc-6-x86 (4.9.30-2+deb9u1) ...
Setting up linux-kbuild-4.9 (4.9.30-2+deb9u1) ...
Setting up libc-l10n (2.24-11+deb9u1) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up libc-dev-bin (2.24-11+deb9u1) ...
Setting up linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u1) ...
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-4.9.0-3-amd64
cryptsetup: WARNING: failed to detect canonical device of /dev/md0
cryptsetup: WARNING: could not determine root device from /etc/fstab
W: initramfs-tools configuration sets RESUME=UUID=054b217a-306b-4c18-b0bf-0ed85af6c6e1
W: but no matching swap device is available.
I: The initramfs will attempt to resume from /dev/md1p1
I: (UUID=bf72f3d4-3be4-4f68-8aae-4edfe5431670)
I: Set the RESUME variable to override this.
/etc/kernel/postinst.d/zz-update-grub:
Searching for GRUB installation directory ... found: /boot/grub
Searching for default file ... found: /boot/grub/default
Testing for an existing GRUB menu.lst file ... found: /boot/grub/menu.lst
Searching for splash image ... none found, skipping ...
Found kernel: /boot/vmlinuz-4.9.0-3-amd64
Found kernel: /boot/vmlinuz-3.16.0-4-amd64
Updating /boot/grub/menu.lst ... done
Setting up libc6-dev:amd64 (2.24-11+deb9u1) ...
Setting up locales (2.24-11+deb9u1) ...
Generating locales (this might take a while)...
en_IN.UTF-8... done
Generation complete.
Setting up linux-headers-4.9.0-3-amd64 (4.9.30-2+deb9u1) ...
Processing triggers for libc-bin (2.24-11+deb9u1) ...
使用 reboot 命令重啟桌面/伺服器:
$ sudo reboot
Oracle/RHEL/CentOS/Scientific Linux
輸入下面的 yum 命令:
$ sudo yum update
$ sudo reboot
Fedora Linux
輸入下面的 dnf 命令:
$ sudo dnf update
$ sudo reboot
Suse Enterprise Linux 或者 Opensuse Linux
輸入下面的 zypper 命令:
$ sudo zypper patch
$ sudo reboot
SUSE OpenStack Cloud 6
$ sudo zypper in -t patch SUSE-OpenStack-Cloud-6-2017-996=1
$ sudo reboot
SUSE Linux Enterprise Server for SAP 12-SP1
$ sudo zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-996=1
$ sudo reboot
SUSE Linux Enterprise Server 12-SP1-LTSS
$ sudo zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-996=1
$ sudo reboot
SUSE Linux Enterprise Module for Public Cloud 12
$ sudo zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2017-996=1
$ sudo reboot
驗證
你需要確認你的版本號在 reboot 命令之後改變了。
$ uname -a
$ uname -r
$ uname -mrs
示例輸出:
Linux 4.4.0-81-generic x86_64
給 OpenBSD 用戶的注意事項
見此頁獲取更多信息。
給 Oracle Solaris 的注意事項
見此頁獲取更多信息。
參考
作者簡介:
Vivek Gite
作者是 nixCraft 的創始人,對於 Linux 操作系統/Unix shell腳本有經驗豐富的系統管理員和培訓師。他曾與全球客戶及各行各業,包括 IT、教育、國防和空間研究以及非營利部門合作。在 Twitter、Facebook、Google + 上關注他。
via: https://www.cyberciti.biz/faq/howto-patch-linux-kernel-stack-clash-vulnerability-cve-2017-1000364/
作者:Vivek Gite 譯者:geekpi 校對:wxy
本文轉載來自 Linux 中國: https://github.com/Linux-CN/archive