[nickn]

As many of you may know by now, there's a Linux kernel exploit out there which can lead to root priviledges, and ultimately a compromised system. It's VERY easy to do, so you should treat this with urgency...CentOS has not yet released an update, but Ubuntu has, and as such, here are some quick instructions on how to do it:

This is for Ubuntu 10.04..

Quote

# apt-get update
# apt-get install linux-image-2.6.32-24-server


Open /boot/grub/menu.lst , add new kernel to boot , full file content :

default 1
timeout 3
hiddenmenu

title Ubuntu 10.04, kernel 2.6.32-22-server
root (hd0,0)
kernel /boot/vmlinuz-2.6.32-22-server root=/dev/xvda1 ro quiet
splash
initrd /boot/initrd.img-2.6.32-22-server

title Ubuntu 10.04, kernel 2.6.32-24-server
root (hd0,0)
kernel /boot/vmlinuz-2.6.32-24-server root=/dev/xvda1 ro quiet
splash
initrd /boot/initrd.img-2.6.32-24-server



# reboot

If you are unsure, please open a On Demand ticket for $10 and we will handle it.

[anthonysomerset]

also if your on debian update also!

http://www.debian.or...y/2010/dsa-2110

[mtdavidson]

The vulnerability nick is pointing out here is CVE-2010-3081. You can find more details here http://blog.ksplice..../cve-2010-3081/ including a tool to check if you have already been compromised.

This post has been edited by mtdavidson: 20 September 2010 - 12:08 PM

[nickn]

anthonysomerset said:

also if your on debian update also!

http://www.debian.or...y/2010/dsa-2110

Oddly enough..we couldn't duplicate this vulnerability on our Debian images at all. Should still definitely upgrade.

[anthonysomerset]

nickn said:

Oddly enough..we couldn't duplicate this vulnerability on our Debian images at all. Should still definitely upgrade.

they already updated the kernel (they are often pretty quick for security advisories) so a simple

apt-get update
apt-get upgrade
reboot

should sort people out

as a follow up, reading some of the stuff around the net this is a local root escalation exploit, this means a user has to have access to the machine in some way to be able to do this the ksplice stuff is just unneccesary scaremongering.

while it is important to maintain upto date systems dont feel pressurised to install ksplice just for this

also if you run reasonably secure systems and heavily restrict ssh access they you likely wont get exploited - DISCLAIMER i am not saying that you wont get exploited, just that you probably have better chances

This post has been edited by anthonysomerset: 20 September 2010 - 01:49 PM

[Nick]

Arrgg this messes up my 75 days uptime. But a reboot is needed :yes:.

Hmmm, I can't access the console, "Console unavailable." message.

This post has been edited by Nick: 20 September 2010 - 04:13 PM

[nickn]

http://forums.cpanel...html#post692222

For anyone using cpanel (sent all this out in email too)

As well..for those interested, we're currently testing KSplice! Hopefully will get that out soon.

[Austriaco]

Nick said:

Arrgg this messes up my 75 days uptime. But a reboot is needed :yes:.

50 days here. :( I had already upgraded but was postponing the reboot until it was absolutely necessary, ignoring the seriousness of the situation.

Thanks to the VPS's team for sending out the mail reminder.

[serversphere]

Ha! I just took down our Ubuntu instance and replaced with the hardened Centos LAMP this morning. Whoops!

[butler360]

anthonysomerset said:

they already updated the kernel (they are often pretty quick for security advisories) so a simple

apt-get update

apt-get upgrade

reboot

should sort people out

Just curious, how do you know when a reboot is necessary? Only kernel upgrades? Is there any indicator that a reboot is necessary?

[anthonysomerset]

generally you only "need" a reboot for a new kernel for most part you are otherwise fine with restarting affected services which is normally part of the upgrade process anyway, other software i would speak to the software makers

[butler360]

Got it, thanks!

[anthonysomerset]

i think this is getting a little bit too much coverage over at slashdot and it reads like an ad for ksplice

i think its worth pointing out that if you severely restrict local access (eg shell accounts, etc) then you are a lot less likely to get this exploit than others

its not like windows vulnerabilitys where someone can get in to your machine just by you going to a certain website. lots of people are unneccesarily scaremongering and some of the fixes i have seen (particularly the cpanel fix) can do more damage than good if you are not careful or aware of the consequences.

guys this vulnerability has been around since 2008 if it really was that serious it would have been fixed very quickly, while not advocating we not update our kernels (we really should for the other bad stuff not always publicised) but dont panic and rush to apply half formed patches that haven't yet been fully tested and proven to be reliable with no side effects. and if you are that worried about it, shut down ssh and use the console (not totally a bad idea with the new san 2.0 console) that way you limit the local access points to vps.net and anyone with access to your vps.net account details

[boeki]

saw over at wht that the exploit can also come in via php/cgi/ruby/etc and is not limited to shell access.

[anthonysomerset]

yes but it requires compromised code or code with its own holes to get in that way to start with.

generally if you are the only user of the server you have restricted the access points to the server a lot and by controlling the code going on there keeps that hole more closed than on say a shared host

[boeki]

those on cloudlinux can update their kernels to fix issues for CVE-2010-3081: http://www.cloudlinu...g/clnews/22.php

[serversphere]

boeki said:

saw over at wht that the exploit can also come in via php/cgi/ruby/etc and is not limited to shell access.

I think this is mis-stated on WHT (I saw that post too). What I think that person meant to say way, a user that is already on your system could use php/cgi//ruby/etc to exploit the box. But it would have to be one of two things: a user that doesn't like you or decides to put on the black hat, or (as Anthony says) a local user's already broken into account.

[boeki]

i'm glad if that's the case. thanks for clearing it up.

[mrcbrown]

nickn said:

http://forums.cpanel...html#post692222

For anyone using cpanel (sent all this out in email too)

As well..for those interested, we're currently testing KSplice! Hopefully will get that out soon.

Has this been tested by anyone using VPS.NET for cPanel hosting? Just wish there was a time frame for CentOS....

[anthonysomerset]

i want to know if the cpanel workaround will affect litespeed

it looks to me like a messy workaround that just disables 32bit on 64bit systems which breaks all sorts of compatibility