KernelCare “Extra” Patchset option not showing in WHM > Security Advisor

[WorkinOnIt]

I saw the option to install the free patch set on one of my servers in the Security Advisor window on WHM and went ahead and "clicked the button" that did that - it all seemed to be easy as, and smooth and the Security Advisor now states "You are Protected by KernelCare's Free Symlink Protection."

However, on my other servers - I don't see the option to install it - there's nothing mentioned in the in the Security Advisor window, just the usual "Kernel does not support the prevention of symlink ownership attacks.You do not appear to have any symlink protection enabled through a properly patched kernel on this server"

All servers are running the same kernel, OS and WHM version. What gives?

 

[cPanelLauren]

Hi @WorkinOnIt

That's unusual, all servers that are on v70+ should have it. I know you did mention they were all on the same cPanel version, OS and kernel but could you run the following on the server with the patch and the server without:

uname -r
rpm -qa |grep kernel
kcarectl --patch-info
cat /usr/local/cpanel/version
cat /etc/redhat-release

Thanks!

 

[WorkinOnIt]

Server with patch installed;

[test@1 ~]$ uname -r
3.10.0-862.3.2.el7.x86_64
[test@1 ~]$ rpm -qa |grep kernel
kernel-tools-libs-3.10.0-862.3.2.el7.x86_64
kernel-tools-3.10.0-862.3.2.el7.x86_64
kernel-3.10.0-693.21.1.el7.x86_64
kernel-headers-3.10.0-862.3.2.el7.x86_64
kernel-3.10.0-693.17.1.el7.x86_64
kernelcare-2.14-6.x86_64
kernel-3.10.0-862.2.3.el7.x86_64
kernel-3.10.0-862.3.2.el7.x86_64
kernel-3.10.0-693.11.1.el7.x86_64

[test@1 ~]$ sudo kcarectl --patch-info
OS: centos7
kernel: kernel-3.10.0-862.3.2.el7
time: 2018-05-24 04:36:53

kpatch-name: 3.10.0/symlink-protection-ge-862.patch
kpatch-description: symlink protection
kpatch-kernel: kernel-3.10.0-514.el7
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: Gerrit Code Review

kpatch-name: 3.10.0/symlink-protection-ge-862.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-3.10.0-514.el7
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: Gerrit Code Review

[test@1 ~]$ cat /usr/local/cpanel/version
11.70.0.44
[test@1 ~]$ cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)

Second server without the button showing.

[test@server2 ~]$ uname -r
3.10.0-862.3.2.el7.x86_64
[test@server2 ~]$ rpm -qa |grep kernel
kernel-3.10.0-862.3.2.el7.x86_64
kernelcare-2.14-6.x86_64
kernel-3.10.0-693.11.1.el7.x86_64
kernel-3.10.0-693.21.1.el7.x86_64
kernel-headers-3.10.0-862.3.2.el7.x86_64
kernel-tools-libs-3.10.0-862.3.2.el7.x86_64
kernel-3.10.0-693.17.1.el7.x86_64
kernel-tools-3.10.0-862.3.2.el7.x86_64
kernel-3.10.0-862.2.3.el7.x86_64
[test@server2 ~]$ sudo kcarectl --patch-info
OS: centos7
kernel: kernel-3.10.0-862.3.2.el7
time: 2018-05-24 04:36:53

kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
kpatch-kernel:
kpatch-cve:
kpatch-cvss:
kpatch-cve-url: Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges
kpatch-patch-url:

uname: 3.10.0-862.3.2.el7

[test@server2 ~]$ cat /usr/local/cpanel/version
11.70.0.44
[test@server2 ~]$ cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)

 

[cPanelLauren]

Hi @WorkinOnIt

Thank you for providing all of that information. The big difference I see here is the patch info. On the server without the option you have an entirely different patch coming up:

[test@server2 ~]$ sudo kcarectl --patch-info
OS: centos7
kernel: kernel-3.10.0-862.3.2.el7
time: 2018-05-24 04:36:53

kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
kpatch-kernel:
kpatch-cve:
kpatch-cvss:
kpatch-cve-url: Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges
kpatch-patch-url:

Is this something that you remember installing?


Thanks!

 

[WorkinOnIt]

Yes, I saw that discrepancy too - but I don't remember installing any patches. I'm not even sure what the
proc-restrict-pagemap-access.patch actually does!

What's the best way forward here?

 

[cPanelLauren]

@WorkinOnIt

I'm going to research this patch and see if I can replicate the issue you're experiencing as well as look for a potential workaround. I'll update you again once I've got some more information.

 

[cPanelLauren]

Hi @WorkinOnIt

Can you please run the following on the server that isn't showing the symlink protection patch?

usr/bin/kcarectl --info
/usr/bin/kcarectl --license-info

That patch also came with the following:

KernelCare Directory

I'm wondering if you have the full kernelcare version on this server and because of that patch you're not getting the notification somehow

 

[WorkinOnIt]

Hi @cPanelLauren

I ran the above command and it says :

"You have a trial license for the IP 12.34.56.78 that will expire on 2018-05-30"


kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-862.3.2.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Mon May 21 23:36:36 UTC 2018
kpatch-build-time: Wed May 23 21:57:28 2018
kpatch-description: 1-;3.10.0-862.3.2.el7





However, I have not installed Kernel Care on the system - unless that is what got installed along with some update? I'm the only admin on the server, so no-one else could have installed it.

Very odd !! Has this been reported by anyone else? What's the best way to remove it and go with the free patch.

 

[cPanelLauren]

HI @WorkinOnIt

When just the patch is applied the kpatch-description line looks like this:

kpatch-description: 2-free;

So it does indeed look like you have the full KernelCare service installed. To uninstall it you can follow the instructions provided by CloudLinux here: KernelCare Documentation

Then you can install just the free patch from the SecurityAdvisor - There are two KernelCare related notifications that come up when running the security advisor, one is yellow for the full KernelCare product and the other is red for symlink protection only.