Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 6 subscribers
  • Views 24763 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is UTM 9 affected by CVE-2016-10229?

Pheckphul

CVE-2016-10229 is a remotely executable Linux kernel vulnerability. I would like to know if UTM 9 is vulnerable (evidently some kernel configurations aren't as RHEL 7 isn't), and if so, when should we see an update remedying this?



This thread was automatically locked due to age.
  • 0

    Hi,

    have you asked your reseller? Is your UTM open to access from the internet?

  • 0

    Sean, if you have "Any" or "Internet" in 'Allowed Networks' for 'Shell Access', you will want to change that.  There should only be specific IPs that you control in that box.  I would also add a DNS Group for Sophos Support unless you're already on 9.411.  My clients also have my IPs and the "(User Network)" object for my user, allowing me to remote into their UTM to provide support.  Whether the stripped-down Linux on the UTM is vulnerable to this exploit should be a moot point.

    Cheers - Bob

  • +1

    As far as I know UTM is still based on SLES. Here is their advisory and kernel 3.12.53 and above seems to be fixed. https://www.suse.com/security/cve/CVE-2016-10229/

    On my 9.411 install my kernel version is 3.12.58-0.247785862.g17c1041.rb7-smp64

  • 0 in reply to BAlfson

    BAlfson said:

    Sean, if you have "Any" or "Internet" in 'Allowed Networks' for 'Shell Access', you will want to change that.  There should only be specific IPs that you control in that box.  I would also add a DNS Group for Sophos Support unless you're already on 9.411.  My clients also have my IPs and the "(User Network)" object for my user, allowing me to remote into their UTM to provide support.  Whether the stripped-down Linux on the UTM is vulnerable to this exploit should be a moot point.

    Cheers - Bob

     

     

    Sorry, but your response is meaningless. This vulnerability has nothing to do with shell access, and everything to do with the Linux kernel IP stack. So, being a firewall/router, and whose purpose is to protect/service my network and its connection to the Internet, which is IP based, having an IP stack is necessary. As referenced in my OP, this vulnerability is exploited by specially crafted UDP packets which result in code execution:

     

    udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.

  • 0 in reply to Pheckphul

    Interesting, I see that now.  Fortunately, Billybob has addressed this.

    Cheers - Bob

  • 0 in reply to Billybob

    While UTM is based on SLES, the kernel is custom I believe. i.e. Sophos builds and maintains their own kernel with it's own unique build features and tweaks. So, whether or not SLES is vulnerable isn't pertinent.

    I can obtain the kernel build options from /boot, however it isn't clear from that whether or not udp.c is patched to remove this vulnerability as it is definitely present in the kernel upstream from SUSE upon which 3.12.58 is based. So, just because the kernel version on UTM 9.441 states the kernel version is > 3.12.53, doesn't mean it is definitely free of this vulnerability. I would hope Sophos would put out info as to the status of UTM vs CVE-2016-10229, especially as a remote code execution vulnerability in the kernel is a big deal.

  • 0 in reply to Pheckphul

    You are absolutely correct that only sophos can confirm/deny if the vulnerability exists in their kernel. However I am not sure what you mean by vulnerability is definitely present in 3.12.58 when they patched it in 3.12.53 as 3.12.58 is only supported because of SLES, it seems highly unlikely that they will introduce the vulnerability back in the kernel. https://www.linux.com/news/linux-kernel-312-be-supported-until-2017-because-suse-linux-enterprise-12 

  • 0 in reply to Pheckphul

    I'd have to agree with Billybob, but why not open a ticket with Sophos Support and report their answer here?

    It's not so much that they build their own kernel.  According to what I've been told over the years, they strip a lot of stuff out of what they get from SUSE and run what's left through a lot of tests.  Then, when SUSE fixes something and issues a new release, the developers usually fix the version that they've vetted instead of jumping onto the new SUSE version.  It's not impossible that they offer a fix before SUSE does.  To get a feel for this, check out the Up2Date blog, e.g., UTM Up2Date 9.409 Released.

    Cheers - Bob

  • 0 in reply to Billybob

    SUSE may have patched their (SLES') version of 3.12.53, but the generic upstream version of 3.12.53 is vulnerable.

  • 0 in reply to BAlfson

    I don't have a support contract with Sophos, else I would have gone to Sophos with this. UTM is used on my home network.