1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

x86_64 Kernel Exploit

Discussion in 'Security' started by hermit, Sep 18, 2010.

  1. jenlepp

    jenlepp Member

    Joined:
    Jul 4, 2005
    Messages:
    116
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Liberty Hill, TX
    I removed the patch - the CloudLinux server was formally patched with KSplice, and the older servers were about to be replaced anyway and there's some debate as to whether it affects my kernel on those servers because they've been around a while.

    For anyone who needs it, it's:

    from https://access.redhat.com/kb/docs/DOC-40265

    Someone else can have their clients scream at them while they jockey with the temporary patch and cPanel support. I'm going to concentrate moving those servers to new CL boxes asap.
     
  2. jenlepp

    jenlepp Member

    Joined:
    Jul 4, 2005
    Messages:
    116
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Liberty Hill, TX
    Thanks - I had found it and it appears we posted simultaneously. :)
     
  3. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,452
    Likes Received:
    0
    Trophy Points:
    36
    ksplice is probably the best option right now for those who need to keep 32bit binaries working.

    Side Note: The "promotion" of ksplice is not solicited. They are just might be the best option for many at the moment.
     
  4. rligg

    rligg Member

    Joined:
    Sep 16, 2003
    Messages:
    271
    Likes Received:
    0
    Trophy Points:
    16
    ???

    ksplice does not keep 32 binaries working. FrontPage and Miva Merchant fail with KSplice.
     
  5. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,452
    Likes Received:
    0
    Trophy Points:
    36
    If they are not offering an updated package for your platform with 32bit compat working (I cannot confirm this either way, as I have not used it myself. ksplice will need to be contacted for more information) you may just want to wait until your linux vendor puts out an update.
     
  6. Davetha

    Davetha New Member

    Joined:
    Jun 6, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    KSplice has a rebootless compat patch for RHEL5/CentOS5 as of the 18th in the afternoon. They later released an OpenVZ based kernel patch that night.
     
  7. price

    price New Member

    Joined:
    Sep 20, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Cambridge, MA
    Re: Ksplice Question

    We looked into this (thanks for the email! I think we've already replied to you) and this is the error you get if you try to use the Fedora RPM on CentOS. For a CentOS system, you want this version: http://www.ksplice.com/yum/uptrack/centos/ksplice-uptrack-release.noarch.rpm

    As always, we're happy to help at support@ksplice.com with any questions.

    Greg Price
    Ksplice
     
  8. price

    price New Member

    Joined:
    Sep 20, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Cambridge, MA
    Ksplice should not cause issues with any 32-bit binaries. In particular, this Ksplice update has been installed on many thousands of machines with no observed or reported impact to 32-bit binaries. 32-bit binaries would stop working, however, if you followed the Red Hat mitigation instructions, so I'm guessing that's what's causing the issues that you've observed; perhaps you applied the mitigation and then later installed Ksplice.

    You can disable the mitigation by running the following command as root:
    Code:
    # echo -1 >  /proc/sys/fs/binfmt_misc/32bits
    If that doesn't work and you think that this issue is related to Ksplice, please contact us at support@ksplice.com and we will help investigate and correct the issue.

    Greg Price
    Ksplice
     
  9. rligg

    rligg Member

    Joined:
    Sep 16, 2003
    Messages:
    271
    Likes Received:
    0
    Trophy Points:
    16
    You are indeed correct. My admin used the RH patch.
     
  10. GaryT

    GaryT Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Sounds stupid but, The easiest option is to wait for the vendor update rather than the patch, People with WHM who used the patch have MASSIVE issues, I tested on one box and I could not get the mysql and such to stay online.

    I disabled ALOT of php functions to tighten some things up till the new kernal comes out, Centos has released a newer version but I have not tested this yet:

    http://dev.centos.org/centos/5/testing/x86_64/RPMS/kernel-2.6.18-194.11.3.el5.CVE_2010_3081.x86_64.rpm

    Taken from there testing repository ( beta but no exploits found so far )

    Now to wait it out there is a risk, But you also take a risk by applying patches.
     
  11. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,558
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
  12. Rodney-E2

    Rodney-E2 New Member

    Joined:
    Jun 25, 2005
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Houston, TX
    We are having allot of MySQL issues as well after this is applied.
    I have a ticket open to cPanel now and waiting to hear from them.
     
  13. Jonjimar

    Jonjimar New Member

    Joined:
    Dec 1, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    I try to do the line

    and have the next result:

    root@cloud [~]# patch -p0 < courierup-mysqlup-32bitdisabled.patch.txt
    can't find file to patch at input line 5
    Perhaps you used the wrong -p or --strip option?
    The text leading up to this was:
    --------------------------
    |Index: courierup
    |===================================================================
    |--- courierup (revision 48943)
    |+++ courierup (revision 48944)
    --------------------------
    File to patch:
    root@cloud [~]#

    Someone can help me with this?


    Jonathan J.
     
  14. GaryT

    GaryT Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    There are 3 exploits not the 1 - you need to do them all.
     
  15. sehh

    sehh Member

    Joined:
    Feb 11, 2006
    Messages:
    521
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Europe
    It is interesting, how this exploit has been around for 2 years now...

    I wonder how much damage it has caused and how many "secure" systems have been compromised.... how many admins out there couldn't figure out how their fully updated systems had been exploited.

    At least, the attacker requires so kind of access to execute the exploit, which means closed systems with SSH only access were never affected.

    Just some random thoughts...
     
  16. wgalafassijr

    wgalafassijr New Member

    Joined:
    Jun 23, 2005
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    if i use centos 4 what i have to do?
     
  17. GaryT

    GaryT Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Upgrade to to the latest stable Centos - I will check shortly, I do know a new version is out with a patches Kernal.

    OVH knew about this a long time back, If you get a dedicated from OVH you will see that 99.9% you will have a custom Kernal, And, The exploit patch is already in place.

    I contacted my DC about this they said, This is old but now new news ! Don't worry your already prevented.

    So in this case, Why has it only just been brought up when most BIG box providers knew this...
     
  18. sehh

    sehh Member

    Joined:
    Feb 11, 2006
    Messages:
    521
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Europe
    hmm interesting..
     
  19. radeonpower

    radeonpower Member

    Joined:
    Jul 23, 2009
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    I just checked with yum and a new kernel is available for CentOS 5.5 x64.
     
  20. cokequai

    cokequai New Member

    Joined:
    Feb 15, 2005
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chile, Santiago.
    How you check with yum?

    If you run:

    # yum update kernel

    And get this kernel:

    kernel x86_64 2.6.18-194.11.3.el5 updates 19 M

    But in http://bugs.centos.org/view.php?id=4518

    "the official kernel (kernel-2.6.18-194.11.4.el5.src.rpm) will be pushed as soon as possible"
     
    #40 cokequai, Sep 21, 2010
    Last edited: Sep 21, 2010

Share This Page