Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

KernelCare “Extra” Patchset option not showing in WHM > Security Advisor

Discussion in 'Security' started by WorkinOnIt, May 24, 2018.

  1. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    153
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    I saw the option to install the free patch set on one of my servers in the Security Advisor window on WHM and went ahead and "clicked the button" that did that - it all seemed to be easy as, and smooth and the Security Advisor now states "You are Protected by KernelCare's Free Symlink Protection." :)

    However, on my other servers - I don't see the option to install it - there's nothing mentioned in the in the Security Advisor window, just the usual "Kernel does not support the prevention of symlink ownership attacks.You do not appear to have any symlink protection enabled through a properly patched kernel on this server"

    All servers are running the same kernel, OS and WHM version. What gives? :(
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @WorkinOnIt

    That's unusual, all servers that are on v70+ should have it. I know you did mention they were all on the same cPanel version, OS and kernel but could you run the following on the server with the patch and the server without:

    Code:
    uname -r
    rpm -qa |grep kernel
    kcarectl --patch-info
    cat /usr/local/cpanel/version
    cat /etc/redhat-release
    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    153
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Server with patch installed;

    Code:
    [test@1 ~]$ uname -r
    3.10.0-862.3.2.el7.x86_64
    [test@1 ~]$ rpm -qa |grep kernel
    kernel-tools-libs-3.10.0-862.3.2.el7.x86_64
    kernel-tools-3.10.0-862.3.2.el7.x86_64
    kernel-3.10.0-693.21.1.el7.x86_64
    kernel-headers-3.10.0-862.3.2.el7.x86_64
    kernel-3.10.0-693.17.1.el7.x86_64
    kernelcare-2.14-6.x86_64
    kernel-3.10.0-862.2.3.el7.x86_64
    kernel-3.10.0-862.3.2.el7.x86_64
    kernel-3.10.0-693.11.1.el7.x86_64
    
    [test@1 ~]$ sudo kcarectl --patch-info
    OS: centos7
    kernel: kernel-3.10.0-862.3.2.el7
    time: 2018-05-24 04:36:53
    
    kpatch-name: 3.10.0/symlink-protection-ge-862.patch
    kpatch-description: symlink protection
    kpatch-kernel: kernel-3.10.0-514.el7
    kpatch-cve: N/A
    kpatch-cvss: N/A
    kpatch-cve-url: N/A
    kpatch-patch-url: Gerrit Code Review
    
    kpatch-name: 3.10.0/symlink-protection-ge-862.kpatch-1.patch
    kpatch-description: symlink protection (kpatch adaptation)
    kpatch-kernel: kernel-3.10.0-514.el7
    kpatch-cve: N/A
    kpatch-cvss: N/A
    kpatch-cve-url: N/A
    kpatch-patch-url: Gerrit Code Review
    
    [test@1 ~]$ cat /usr/local/cpanel/version
    11.70.0.44
    [test@1 ~]$ cat /etc/redhat-release
    CentOS Linux release 7.5.1804 (Core)
    

    Second server without the button showing.

    Code:
    [test@server2 ~]$ uname -r
    3.10.0-862.3.2.el7.x86_64
    [test@server2 ~]$ rpm -qa |grep kernel
    kernel-3.10.0-862.3.2.el7.x86_64
    kernelcare-2.14-6.x86_64
    kernel-3.10.0-693.11.1.el7.x86_64
    kernel-3.10.0-693.21.1.el7.x86_64
    kernel-headers-3.10.0-862.3.2.el7.x86_64
    kernel-tools-libs-3.10.0-862.3.2.el7.x86_64
    kernel-3.10.0-693.17.1.el7.x86_64
    kernel-tools-3.10.0-862.3.2.el7.x86_64
    kernel-3.10.0-862.2.3.el7.x86_64
    [test@server2 ~]$ sudo kcarectl --patch-info
    OS: centos7
    kernel: kernel-3.10.0-862.3.2.el7
    time: 2018-05-24 04:36:53
    
    kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
    kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
    kpatch-kernel:
    kpatch-cve:
    kpatch-cvss:
    kpatch-cve-url: Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges
    kpatch-patch-url:
    
    uname: 3.10.0-862.3.2.el7
    
    [test@server2 ~]$ cat /usr/local/cpanel/version
    11.70.0.44
    [test@server2 ~]$ cat /etc/redhat-release
    CentOS Linux release 7.5.1804 (Core)
    
    
    
     
    #3 WorkinOnIt, May 24, 2018
    Last edited by a moderator: May 25, 2018
  4. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @WorkinOnIt

    Thank you for providing all of that information. The big difference I see here is the patch info. On the server without the option you have an entirely different patch coming up:

    Code:
    [test@server2 ~]$ sudo kcarectl --patch-info
    OS: centos7
    kernel: kernel-3.10.0-862.3.2.el7
    time: 2018-05-24 04:36:53
    
    kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
    kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
    kpatch-kernel:
    kpatch-cve:
    kpatch-cvss:
    kpatch-cve-url: Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges
    kpatch-patch-url:
    Is this something that you remember installing?


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    153
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Yes, I saw that discrepancy too - but I don't remember installing any patches. I'm not even sure what the
    proc-restrict-pagemap-access.patch actually does!

    What's the best way forward here?
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    @WorkinOnIt

    I'm going to research this patch and see if I can replicate the issue you're experiencing as well as look for a potential workaround. I'll update you again once I've got some more information.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @WorkinOnIt

    Can you please run the following on the server that isn't showing the symlink protection patch?

    Code:
    usr/bin/kcarectl --info
    /usr/bin/kcarectl --license-info
    That patch also came with the following:

    KernelCare Directory

    I'm wondering if you have the full kernelcare version on this server and because of that patch you're not getting the notification somehow
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    153
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi @cPanelLauren

    I ran the above command and it says :

    "You have a trial license for the IP 12.34.56.78 that will expire on 2018-05-30"


    kpatch-state: patch is applied
    kpatch-for: Linux version 3.10.0-862.3.2.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Mon May 21 23:36:36 UTC 2018
    kpatch-build-time: Wed May 23 21:57:28 2018
    kpatch-description: 1-;3.10.0-862.3.2.el7





    However, I have not installed Kernel Care on the system - unless that is what got installed along with some update? I'm the only admin on the server, so no-one else could have installed it.

    Very odd !! Has this been reported by anyone else? What's the best way to remove it and go with the free patch.
     
  9. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    HI @WorkinOnIt

    When just the patch is applied the kpatch-description line looks like this:
    Code:
    kpatch-description: 2-free;
    So it does indeed look like you have the full KernelCare service installed. To uninstall it you can follow the instructions provided by CloudLinux here: KernelCare Documentation

    Then you can install just the free patch from the SecurityAdvisor - There are two KernelCare related notifications that come up when running the security advisor, one is yellow for the full KernelCare product and the other is red for symlink protection only.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice