Hi,<br><br>Glasgow has followed the appropriate steps outlined below.<br>Affected protocols have been blacklisted and nodes with protocols loaded by default have been rebooted. <br>[bluetooth appeared to be on for the SL5 machines]<br>
<br>Regards,<br><br>Dug<br><br><div class="gmail_quote">2009/8/14 Ewan MacMahon <span dir="ltr">&lt;<a href="mailto:[log in to unmask]"><a href="/cgi-bin/wa-jisc.exe?LOGON=A3%3Dind0908%26L%3DTB-SUPPORT%26E%3Dquoted-printable%26P%3D331088%26B%3D--0003255544ea2b5d9204711c341f%26T%3Dtext%252Fhtml%3B%2520charset%3DISO-8859-1%26pending%3D" target="_parent" >[log in to unmask]</a></a>&gt;</span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">&gt; -----Original Message-----<br>
&gt; From: Testbed Support for GridPP member institutes [mailto:<a href="mailto:TB-">TB-</a><br>
&gt;<br>
</div><div class="im">&gt; The RedHat bug report for this:<br>
&gt;  <a href="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2692" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2692</a><br>
&gt; has a workaround that looks suitable for deployment to a running<br>
&gt; system; it essentially consists of disabling the loading of the<br>
vulnerable<br>
&gt; kernel modules, which should, I think, be harmless, but I&#39;ve not tried<br>
it as<br>
&gt; yet.<br>
&gt;<br>
</div>And now I have. Disabling the loading of pppox and bluetooth modules as<br>
per the bugzilla entry does seem to stop the canned exploit from<br>
working,<br>
though I note that SL does seem to have the sctp module present as well.<br>
While the exploit seem not to auto load it, if you load it manually<br>
(which<br>
does, of course, require root access) and then run the exploit code from<br>
<br>
an unprivileged account it does then work and get root. I&#39;m not sure if<br>
there&#39;s a good in-principle reason that sctp.ko can&#39;t be loaded<br>
automatically, or whether it&#39;s just a bug in this particular exploit,<br>
but<br>
since the same RH bugzilla suggests blocking it on RH MRG systems it<br>
seems<br>
prudent to block it on SL too.<br>
<br>
I&#39;d therefore suggest adding:<br>
<br>
install pppox /bin/true<br>
install bluetooth /bin/true<br>
install sctp /bin/true<br>
<br>
to /etc/modprobe.conf. This all assumes that you don&#39;t already have any<br>
of<br>
those modules loaded (and if you do, you might want to find out why).<br>
I&#39;ve<br>
cfengine-d this across all of our machines.<br>
<font color="#888888"><br>
Ewan<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>ScotGrid, Room 481, Kelvin Building, University of Glasgow<br>tel: +44(0)141 330 6439<br>