TPS-2016-003 ZDI-CAN-3263, ZDI-CAN-3284 and ZDI-CAN-3364 Vulnerabilities

February 14, 2016

Overview

Please read this first

Through HP’s Zero Day Initiative, we have previously been made aware of the three security issues described in this Overview:

These vulnerabilities have already been fixed throughout the Joyent Public Cloud.
On-premises Triton (SDC7) software customers can mitigate all of these issues by following the (previously-provided) instructions referenced in the Recommendations/Fixes section below.
These three vulnerabilities will be announced on Tuesday, 16-February-2016 at Zero Day’s “Upcoming Advisories”.

Two Illumos vulnerabilities

These are two security issues with illumos that, used together and in the hands of a determined attacker, constitute a serious vulnerability for SmartOS-based systems:

ZDI-CAN-3263
ZDI-CAN-3284

Both of these issues are related to DTrace: one leverages an information leak in the copyout() action, and the other kernel data corruption that can be induced with malicious DIF.

Both issues are impossible to induce for/by those that don’t have DTrace privileges – meaning that many other systems that have DTrace are not actually at risk because they do not expose DTrace to non-privileged users.

A Linux vulnerability

We were also made aware of the following previously-uncovered Linux vulnerability, which can be exploited in a Linux-branded zone with ptrace:

ZDI-CAN-3364 (also known as CVE-2014-9322)

We have rectified this issue by tightening up the handling of Stack Segment (SS) faults segment register, to prevent local users from gaining privileges by triggering an IRET instruction to access a GS Base address.

Recommendations/ Fixes

On-premises Triton (formerly SDC7) customers

Individual notifications were sent to each individual customer’s main contact email address beginning 5-October-2015, with the last of two subsequent updates to those tickets being sent on 8-December-2015. The most recent subject line (on 8-Dec) in your main contact’s email InBox reads as follows:

[NEW UPDATE] Security Advisory: Illumos-related vulnerability for SmartOS systems

If you have not already done so, please act on the above-referenced instructions for mitigating all of these vulnerabilities (at your earliest opportunity).

If you require further clarification regarding mitigation instructions (or would like to receive another copy), please contact Joyent Support by submitting a request at the support portal or by emailing support@joyent.com.

Joyent Public Cloud (JPC) customers

The fixes for all of these vulnerabilities have already been applied cloud-wide, during the last part of 2015. No further action is necessary.

Further advice

As before, please rest assured that Joyent’s HTTPS endpoints for Manta, CloudAPI and our customer portal are not vulnerable.

Joyent customers who are using third-party operating systems are advised to contact their respective service providers for further information and instructions.