mirror of
https://github.com/LCTT/TranslateProject.git
synced 2024-12-29 21:41:00 +08:00
297 lines
12 KiB
Markdown
297 lines
12 KiB
Markdown
如何修补和保护 Linux 内核堆栈冲突漏洞 CVE-2017-1000364
|
||
============================================================
|
||
|
||
在 Linux 内核中发现了一个名为 “Stack Clash” 的严重安全问题,攻击者能够利用它来破坏内存数据并执行任意代码。攻击者可以利用这个及另一个漏洞来执行任意代码并获得管理帐户(root)权限。
|
||
|
||
在 Linux 中该如何解决这个问题?
|
||
|
||
[![the-stack-clash-on-linux-openbsd-netbsd-freebsd-solaris](https://www.cyberciti.biz/media/new/faq/2017/06/the-stack-clash-on-linux-openbsd-netbsd-freebsd-solaris.jpeg)][22]
|
||
|
||
Qualys 研究实验室在 GNU C Library(CVE-2017-1000366)的动态链接器中发现了许多问题,它们通过与 Linux 内核内的堆栈冲突来允许本地特权升级。这个 bug 影响到了 i386 和 amd64 上的 Linux、OpenBSD、NetBSD、FreeBSD 和 Solaris。攻击者可以利用它来破坏内存数据并执行任意代码。
|
||
|
||
### 什么是 CVE-2017-1000364 bug?
|
||
|
||
[来自 RHN][13]:
|
||
|
||
> 在用户空间二进制文件的堆栈中分配内存的方式发现了一个缺陷。如果堆(或不同的内存区域)和堆栈内存区域彼此相邻,则攻击者可以使用此缺陷跳过堆栈保护区域,从而导致进程堆栈或相邻内存区域的受控内存损坏,从而增加其系统权限。有一个在内核中减轻这个漏洞的方法,将堆栈保护区域大小从一页增加到 1 MiB,从而使成功利用这个功能变得困难。
|
||
|
||
[据原研究文章][14]:
|
||
|
||
> 计算机上运行的每个程序都使用一个称为堆栈的特殊内存区域。这个内存区域是特别的,因为当程序需要更多的堆栈内存时,它会自动增长。但是,如果它增长太多,并且与另一个内存区域太接近,程序可能会将堆栈与其他内存区域混淆。攻击者可以利用这种混乱来覆盖其他内存区域的堆栈,或者反过来。
|
||
|
||
### 受到影响的 Linux 发行版
|
||
|
||
1. Red Hat Enterprise Linux Server 5.x
|
||
2. Red Hat Enterprise Linux Server 6.x
|
||
3. Red Hat Enterprise Linux Server 7.x
|
||
4. CentOS Linux Server 5.x
|
||
5. CentOS Linux Server 6.x
|
||
6. CentOS Linux Server 7.x
|
||
7. Oracle Enterprise Linux Server 5.x
|
||
8. Oracle Enterprise Linux Server 6.x
|
||
9. Oracle Enterprise Linux Server 7.x
|
||
10. Ubuntu 17.10
|
||
11. Ubuntu 17.04
|
||
12. Ubuntu 16.10
|
||
13. Ubuntu 16.04 LTS
|
||
14. Ubuntu 12.04 ESM (Precise Pangolin)
|
||
15. Debian 9 stretch
|
||
16. Debian 8 jessie
|
||
17. Debian 7 wheezy
|
||
18. Debian unstable
|
||
19. SUSE Linux Enterprise Desktop 12 SP2
|
||
20. SUSE Linux Enterprise High Availability 12 SP2
|
||
21. SUSE Linux Enterprise Live Patching 12
|
||
22. SUSE Linux Enterprise Module for Public Cloud 12
|
||
23. SUSE Linux Enterprise Build System Kit 12 SP2
|
||
24. SUSE Openstack Cloud Magnum Orchestration 7
|
||
25. SUSE Linux Enterprise Server 11 SP3-LTSS
|
||
26. SUSE Linux Enterprise Server 11 SP4
|
||
27. SUSE Linux Enterprise Server 12 SP1-LTSS
|
||
28. SUSE Linux Enterprise Server 12 SP2
|
||
29. SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
|
||
|
||
### 我需要重启我的电脑么?
|
||
|
||
是的,由于大多数服务依赖于 GNU C Library 的动态连接器,并且内核自身需要在内存中重新加载。
|
||
|
||
### 我该如何在 Linux 中修复 CVE-2017-1000364?
|
||
|
||
根据你的 Linux 发行版来输入命令。你需要重启电脑。在应用补丁之前,记下你当前内核的版本:
|
||
|
||
```
|
||
$ uname -a
|
||
$ uname -mrs
|
||
```
|
||
|
||
示例输出:
|
||
|
||
```
|
||
Linux 4.4.0-78-generic x86_64
|
||
```
|
||
|
||
### Debian 或者 Ubuntu Linux
|
||
|
||
输入下面的 [apt 命令][15] / [apt-get 命令][16]来应用更新:
|
||
|
||
```
|
||
$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
|
||
```
|
||
|
||
示例输出:
|
||
|
||
```
|
||
Reading package lists... Done
|
||
Building dependency tree
|
||
Reading state information... Done
|
||
Calculating upgrade... Done
|
||
The following packages will be upgraded:
|
||
libc-bin libc-dev-bin libc-l10n libc6 libc6-dev libc6-i386 linux-compiler-gcc-6-x86 linux-headers-4.9.0-3-amd64 linux-headers-4.9.0-3-common linux-image-4.9.0-3-amd64
|
||
linux-kbuild-4.9 linux-libc-dev locales multiarch-support
|
||
14 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
|
||
Need to get 0 B/62.0 MB of archives.
|
||
After this operation, 4,096 B of additional disk space will be used.
|
||
Do you want to continue? [Y/n] y
|
||
Reading changelogs... Done
|
||
Preconfiguring packages ...
|
||
(Reading database ... 115123 files and directories currently installed.)
|
||
Preparing to unpack .../libc6-i386_2.24-11+deb9u1_amd64.deb ...
|
||
Unpacking libc6-i386 (2.24-11+deb9u1) over (2.24-11) ...
|
||
Preparing to unpack .../libc6-dev_2.24-11+deb9u1_amd64.deb ...
|
||
Unpacking libc6-dev:amd64 (2.24-11+deb9u1) over (2.24-11) ...
|
||
Preparing to unpack .../libc-dev-bin_2.24-11+deb9u1_amd64.deb ...
|
||
Unpacking libc-dev-bin (2.24-11+deb9u1) over (2.24-11) ...
|
||
Preparing to unpack .../linux-libc-dev_4.9.30-2+deb9u1_amd64.deb ...
|
||
Unpacking linux-libc-dev:amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ...
|
||
Preparing to unpack .../libc6_2.24-11+deb9u1_amd64.deb ...
|
||
Unpacking libc6:amd64 (2.24-11+deb9u1) over (2.24-11) ...
|
||
Setting up libc6:amd64 (2.24-11+deb9u1) ...
|
||
(Reading database ... 115123 files and directories currently installed.)
|
||
Preparing to unpack .../libc-bin_2.24-11+deb9u1_amd64.deb ...
|
||
Unpacking libc-bin (2.24-11+deb9u1) over (2.24-11) ...
|
||
Setting up libc-bin (2.24-11+deb9u1) ...
|
||
(Reading database ... 115123 files and directories currently installed.)
|
||
Preparing to unpack .../multiarch-support_2.24-11+deb9u1_amd64.deb ...
|
||
Unpacking multiarch-support (2.24-11+deb9u1) over (2.24-11) ...
|
||
Setting up multiarch-support (2.24-11+deb9u1) ...
|
||
(Reading database ... 115123 files and directories currently installed.)
|
||
Preparing to unpack .../0-libc-l10n_2.24-11+deb9u1_all.deb ...
|
||
Unpacking libc-l10n (2.24-11+deb9u1) over (2.24-11) ...
|
||
Preparing to unpack .../1-locales_2.24-11+deb9u1_all.deb ...
|
||
Unpacking locales (2.24-11+deb9u1) over (2.24-11) ...
|
||
Preparing to unpack .../2-linux-compiler-gcc-6-x86_4.9.30-2+deb9u1_amd64.deb ...
|
||
Unpacking linux-compiler-gcc-6-x86 (4.9.30-2+deb9u1) over (4.9.30-2) ...
|
||
Preparing to unpack .../3-linux-headers-4.9.0-3-amd64_4.9.30-2+deb9u1_amd64.deb ...
|
||
Unpacking linux-headers-4.9.0-3-amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ...
|
||
Preparing to unpack .../4-linux-headers-4.9.0-3-common_4.9.30-2+deb9u1_all.deb ...
|
||
Unpacking linux-headers-4.9.0-3-common (4.9.30-2+deb9u1) over (4.9.30-2) ...
|
||
Preparing to unpack .../5-linux-kbuild-4.9_4.9.30-2+deb9u1_amd64.deb ...
|
||
Unpacking linux-kbuild-4.9 (4.9.30-2+deb9u1) over (4.9.30-2) ...
|
||
Preparing to unpack .../6-linux-image-4.9.0-3-amd64_4.9.30-2+deb9u1_amd64.deb ...
|
||
Unpacking linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ...
|
||
Setting up linux-libc-dev:amd64 (4.9.30-2+deb9u1) ...
|
||
Setting up linux-headers-4.9.0-3-common (4.9.30-2+deb9u1) ...
|
||
Setting up libc6-i386 (2.24-11+deb9u1) ...
|
||
Setting up linux-compiler-gcc-6-x86 (4.9.30-2+deb9u1) ...
|
||
Setting up linux-kbuild-4.9 (4.9.30-2+deb9u1) ...
|
||
Setting up libc-l10n (2.24-11+deb9u1) ...
|
||
Processing triggers for man-db (2.7.6.1-2) ...
|
||
Setting up libc-dev-bin (2.24-11+deb9u1) ...
|
||
Setting up linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u1) ...
|
||
/etc/kernel/postinst.d/initramfs-tools:
|
||
update-initramfs: Generating /boot/initrd.img-4.9.0-3-amd64
|
||
cryptsetup: WARNING: failed to detect canonical device of /dev/md0
|
||
cryptsetup: WARNING: could not determine root device from /etc/fstab
|
||
W: initramfs-tools configuration sets RESUME=UUID=054b217a-306b-4c18-b0bf-0ed85af6c6e1
|
||
W: but no matching swap device is available.
|
||
I: The initramfs will attempt to resume from /dev/md1p1
|
||
I: (UUID=bf72f3d4-3be4-4f68-8aae-4edfe5431670)
|
||
I: Set the RESUME variable to override this.
|
||
/etc/kernel/postinst.d/zz-update-grub:
|
||
Searching for GRUB installation directory ... found: /boot/grub
|
||
Searching for default file ... found: /boot/grub/default
|
||
Testing for an existing GRUB menu.lst file ... found: /boot/grub/menu.lst
|
||
Searching for splash image ... none found, skipping ...
|
||
Found kernel: /boot/vmlinuz-4.9.0-3-amd64
|
||
Found kernel: /boot/vmlinuz-3.16.0-4-amd64
|
||
Updating /boot/grub/menu.lst ... done
|
||
|
||
Setting up libc6-dev:amd64 (2.24-11+deb9u1) ...
|
||
Setting up locales (2.24-11+deb9u1) ...
|
||
Generating locales (this might take a while)...
|
||
en_IN.UTF-8... done
|
||
Generation complete.
|
||
Setting up linux-headers-4.9.0-3-amd64 (4.9.30-2+deb9u1) ...
|
||
Processing triggers for libc-bin (2.24-11+deb9u1) ...
|
||
```
|
||
|
||
使用 [reboot 命令][17]重启桌面/服务器:
|
||
|
||
```
|
||
$ sudo reboot
|
||
```
|
||
|
||
### Oracle/RHEL/CentOS/Scientific Linux
|
||
|
||
输入下面的 [yum 命令][18]:
|
||
|
||
```
|
||
$ sudo yum update
|
||
$ sudo reboot
|
||
```
|
||
|
||
### Fedora Linux
|
||
|
||
输入下面的 dnf 命令:
|
||
|
||
```
|
||
$ sudo dnf update
|
||
$ sudo reboot
|
||
```
|
||
|
||
### Suse Enterprise Linux 或者 Opensuse Linux
|
||
|
||
输入下面的 zypper 命令:
|
||
|
||
```
|
||
$ sudo zypper patch
|
||
$ sudo reboot
|
||
```
|
||
|
||
### SUSE OpenStack Cloud 6
|
||
|
||
```
|
||
$ sudo zypper in -t patch SUSE-OpenStack-Cloud-6-2017-996=1
|
||
$ sudo reboot
|
||
```
|
||
|
||
### SUSE Linux Enterprise Server for SAP 12-SP1
|
||
|
||
```
|
||
$ sudo zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-996=1
|
||
$ sudo reboot
|
||
```
|
||
|
||
### SUSE Linux Enterprise Server 12-SP1-LTSS
|
||
|
||
```
|
||
$ sudo zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-996=1
|
||
$ sudo reboot
|
||
```
|
||
|
||
### SUSE Linux Enterprise Module for Public Cloud 12
|
||
|
||
```
|
||
$ sudo zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2017-996=1
|
||
$ sudo reboot
|
||
```
|
||
|
||
### 验证
|
||
|
||
你需要确认你的版本号在 [reboot 命令][19]之后改变了。
|
||
|
||
```
|
||
$ uname -a
|
||
$ uname -r
|
||
$ uname -mrs
|
||
```
|
||
|
||
示例输出:
|
||
|
||
```
|
||
Linux 4.4.0-81-generic x86_64
|
||
```
|
||
|
||
### 给 OpenBSD 用户的注意事项
|
||
|
||
见[此页][20]获取更多信息。
|
||
|
||
### 给 Oracle Solaris 的注意事项
|
||
|
||
[见此页][20]获取更多信息。
|
||
|
||
### 参考
|
||
|
||
* [堆栈冲突][4]
|
||
|
||
--------------------------------------------------------------------------------
|
||
作者简介:
|
||
|
||
Vivek Gite
|
||
|
||
作者是 nixCraft 的创始人,对于 Linux 操作系统/Unix shell脚本有经验丰富的系统管理员和培训师。他曾与全球客户及各行各业,包括 IT、教育、国防和空间研究以及非营利部门合作。在 [Twitter][1]、[Facebook] [2]、[Google +] [3] 上关注他。
|
||
|
||
--------------------------------------------------------------------------------
|
||
|
||
via: https://www.cyberciti.biz/faq/howto-patch-linux-kernel-stack-clash-vulnerability-cve-2017-1000364/
|
||
|
||
作者:[Vivek Gite][a]
|
||
译者:[geekpi](https://github.com/geekpi)
|
||
校对:[wxy](https://github.com/wxy)
|
||
|
||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||
|
||
[a]:https://plus.google.com/+CybercitiBiz
|
||
[1]:https://twitter.com/nixcraft
|
||
[2]:https://facebook.com/nixcraft
|
||
[3]:https://plus.google.com/+CybercitiBiz
|
||
[4]:https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
|
||
[5]:https://www.cyberciti.biz/faq/howto-patch-linux-kernel-stack-clash-vulnerability-cve-2017-1000364/
|
||
[6]:https://www.cyberciti.biz/faq/category/centos/
|
||
[7]:https://www.cyberciti.biz/faq/category/debian-ubuntu/
|
||
[8]:https://www.cyberciti.biz/faq/category/linux/
|
||
[9]:https://www.cyberciti.biz/faq/category/redhat-and-friends/
|
||
[10]:https://www.cyberciti.biz/faq/category/security/
|
||
[11]:https://www.cyberciti.biz/faq/category/suse/
|
||
[12]:https://www.cyberciti.biz/faq/category/linux/
|
||
[13]:https://access.redhat.com/security/cve/cve-2017-1000364
|
||
[14]:https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
|
||
[15]:https://www.cyberciti.biz/faq/ubuntu-lts-debian-linux-apt-command-examples/
|
||
[16]:https://www.cyberciti.biz/tips/linux-debian-package-management-cheat-sheet.html
|
||
[17]:https://www.cyberciti.biz/faq/linux-reboot-command/
|
||
[18]:https://www.cyberciti.biz/faq/rhel-centos-fedora-linux-yum-command-howto/
|
||
[19]:https://www.cyberciti.biz/faq/linux-reboot-command/
|
||
[20]:https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/008_exec_subr.patch.sig
|
||
[21]:http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-3757403.html
|
||
[22]:https://www.cyberciti.biz/media/new/faq/2017/06/the-stack-clash-on-linux-openbsd-netbsd-freebsd-solaris.jpeg
|