[Beowulf] Heads up - Stack-Clash local root vulnerability

Christopher Samuel samuel at unimelb.edu.au
Wed Jun 21 16:57:21 PDT 2017


On 22/06/17 01:55, Kilian Cavalotti wrote:

> Thanks for starting the discussion here.

Pleasure!

> We're pretty much in the same boat (no changes made yet), as:
> 1. we're still running some RHEL 6.x based clusters, with x < 9,
> meaning no patches for neither the kernel nor glibc,

Ah yes, that's an interesting situation.  We're on RHEL 6.9 for our
systems currently and I plan to upgrade a test cluster and see if
anything I know how to run breaks.

> 2. those kernel+glibc patches seem to just be "mitigations" and don't
> solve the underlying problem anyway
> (cf.https://access.redhat.com/security/vulnerabilities/stackguard#magicdomid15)

Unfortunately I think you have to rely on those mitigations as an
attacker with local access could just bring on a statically linked
executable and you're hosed.

> Oh, and containers...

Yes, a double edged sword, lots more vulnerable software that will never
get an update.. :-/

cheers,
Chris
-- 
 Christopher Samuel        Senior Systems Administrator
 Melbourne Bioinformatics - The University of Melbourne
 Email: samuel at unimelb.edu.au Phone: +61 (0)3 903 55545



More information about the Beowulf mailing list