The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DirtyCow (CVE-2016-5195)

Discussion in 'Security' started by gryzli, Oct 21, 2016.

  1. gryzli

    gryzli Active Member

    Joined:
    Jul 23, 2012
    Messages:
    44
    Likes Received:
    5
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Twitter:
    #1 gryzli, Oct 21, 2016
    Last edited by a moderator: Oct 21, 2016
  2. Bazinga

    Bazinga Active Member

    Joined:
    Aug 23, 2016
    Messages:
    32
    Likes Received:
    7
    Trophy Points:
    8
    Location:
    Ukraine
    cPanel Access Level:
    Website Owner
  3. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    258
    Likes Received:
    74
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
  4. gryzli

    gryzli Active Member

    Joined:
    Jul 23, 2012
    Messages:
    44
    Likes Received:
    5
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Twitter:
  5. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    352
    Likes Received:
    7
    Trophy Points:
    168
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    This really is one of those car crash events isn't it. RHEL / CentOS again seem to be latest to the party with a patch, the bug thread implies at an uneducated glance that CentOS6 users don't need to worry (which seems incorrect going on other posts to the thread and general chatter) and doesn't make clear if it's worth applying the mitigation on versions other than 7 to address the more recent POCs

    and the cPanel announcement doesn't make reference to their own kernel and when they'll update it cPanel Security Team: Dirty COW (CVE-2016-5195) | cPanel Newsroom

    I just give up.
     
    #5 ThinIce, Oct 22, 2016
    Last edited: Oct 22, 2016
  6. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    352
    Likes Received:
    7
    Trophy Points:
    168
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    If I understand correctly, the systemtap mitigation will not protect against the subsequent POC exploit released
     
    #6 ThinIce, Oct 22, 2016
    Last edited by a moderator: Oct 24, 2016
  7. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,431
    Likes Received:
    30
    Trophy Points:
    178
    cPanel Access Level:
    Root Administrator
    Actually, my CentOS 6 Kernelcare systems aren't showing any fix

    Code:
    # cat /etc/redhat-release ; kcarectl --check ; kcarectl --patch-info | grep -i cve-2016-5195
    CentOS release 6.8 (Final)
    No update necessary
     
  8. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    258
    Likes Received:
    74
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    @sparek-3

    Interesting - my check using the same code produced different results:
    Code:
    # cat /etc/redhat-release ; kcarectl --check ; kcarectl --patch-info | grep -i cve-2016-5195
    CloudLinux Server release 6.8 (Oleg Makarov)
    No update necessary
    kpatch-cve: CVE-2016-5195
    kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-5195
     
  9. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,431
    Likes Received:
    30
    Trophy Points:
    178
    cPanel Access Level:
    Root Administrator
    BRILLIANT!

    They released an update that --check doesn't recognize. If you run kcarectl --update it updates! This is absolutely brilliant! I mean, why depend on --check to see if there is an update when, that never really matters!

    BRILLIANT!
     
  10. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,431
    Likes Received:
    30
    Trophy Points:
    178
    cPanel Access Level:
    Root Administrator
    And for those of you looking for a CentOS/RHEL/cPanel kernel update you may want to just try yum update and never ever use yum check-update because seriously! Why should you ever just check for updates? Why spend time prepping for an update when you can just update! Who cares if it breaks a system or does something you didn't anticipate!

    Lesson learned today... checking for updates is totally useless!

    </sarcasm>
     
  11. gryzli

    gryzli Active Member

    Joined:
    Jul 23, 2012
    Messages:
    44
    Likes Received:
    5
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Twitter:
    Anybody with kcare fix for CloudLinux / Centos 5 ?
     
  12. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    258
    Likes Received:
    74
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
  13. gryzli

    gryzli Active Member

    Joined:
    Jul 23, 2012
    Messages:
    44
    Likes Received:
    5
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Twitter:
    Just to summarize the current state of the things:
    CloudLinux have release dirty cow fix in their mainstream kernels for CL 6 and CL 7.

    There is kernel update for CL5 also, but it is in the testing repo.

    If you are using KernelCare (the rebootless kernel patching tool by CloudLinux), you must already have the patches for all CL 5,6,7. You can check this by issuing:

    Code:
    root@server [~]# kcarectl  --patch-info  | grep 2016-5195 -A 6
    kpatch-name: 2.6.18/CVE-2016-5195.patch
    kpatch-description: CVE-2016-5195 fix
    kpatch-kernel: kernel-2.6.18-412.el5
    kpatch-cve: CVE-2016-5195
    kpatch-cvss: 6.9
    kpatch-cve-url: [URL='https://access.redhat.com/security/cve/CVE-2016-5195']CVE-2016-5195 - Red Hat Customer Portal[/URL]
    kpatch-patch-url: [URL]https://git.kernel.org/linus/19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619[/URL]
    
     
    #13 gryzli, Oct 24, 2016
    Last edited by a moderator: Oct 24, 2016
  14. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    68
    Will this affect the server which does not have public SSH access? Thank you for any advice.
     
  15. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    352
    Likes Received:
    7
    Trophy Points:
    168
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    Yes, if there is for example a vulnerability in a web app such as Wordpress that would allow remote code execution or if any of the accounts on your system have been breached such that an exploit could be uploaded and then executed
     
    garconcn likes this.
  16. gryzli

    gryzli Active Member

    Joined:
    Jul 23, 2012
    Messages:
    44
    Likes Received:
    5
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Twitter:
    In fact, if you have any publicly accessible service (Web, FTP, or whatever it is), if someone try and successfully exploit your service (in order to make it, to execute code with this service's username), this could be used as an indirect vector to do execute the privilege escalation exploit.

    It is really bad thing..
     
    garconcn likes this.
  17. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    875
    Likes Received:
    25
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Folks

    I don't profess to know what any of this means other than I should update or patch.
    Would Yum Update fix this in CentOS 6.8 Final, or do I need to run specific patches ?
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,958
    Likes Received:
    1,274
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Allow me to address some of the questions and comments that have not yet received a response.

    Regarding the cPanel hardened kernel, there's an internal case open to build and publish an update once CentOS publishes a new kernel (the cPanel hardened kernel patches the CentOS 6 kernel for symlink race condition protection).

    I encourage you to share your thoughts regarding KernelCare to the CloudLinix Support Team, or on their forums at:

    CloudLinux Forum

    You can run "yum update" to update your system kernel once CentOS releases an updated kernel that addresses the issue. Note that you must reboot the system after updating the kernel. Or, if you are interested in a third-party application, consider using KernelCare from CloudLinux:

    CloudLinux - Main | New template

    Thank you.
     
    eva2000 likes this.
  19. gryzli

    gryzli Active Member

    Joined:
    Jul 23, 2012
    Messages:
    44
    Likes Received:
    5
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Twitter:
    In short, we are still waiting for RedHat/Centos to release patched kernel :)
     
  20. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,958
    Likes Received:
    1,274
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    eva2000 likes this.
Loading...

Share This Page