KernelCare “Extra” Patchset option not showing in WHM > Security Advisor

WorkinOnIt

Well-Known Member
Aug 3, 2016
195
28
28
UK
cPanel Access Level
Root Administrator
I saw the option to install the free patch set on one of my servers in the Security Advisor window on WHM and went ahead and "clicked the button" that did that - it all seemed to be easy as, and smooth and the Security Advisor now states "You are Protected by KernelCare's Free Symlink Protection." :)

However, on my other servers - I don't see the option to install it - there's nothing mentioned in the in the Security Advisor window, just the usual "Kernel does not support the prevention of symlink ownership attacks.You do not appear to have any symlink protection enabled through a properly patched kernel on this server"

All servers are running the same kernel, OS and WHM version. What gives? :(
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
Hi @WorkinOnIt

That's unusual, all servers that are on v70+ should have it. I know you did mention they were all on the same cPanel version, OS and kernel but could you run the following on the server with the patch and the server without:

Code:
uname -r
rpm -qa |grep kernel
kcarectl --patch-info
cat /usr/local/cpanel/version
cat /etc/redhat-release
Thanks!
 

WorkinOnIt

Well-Known Member
Aug 3, 2016
195
28
28
UK
cPanel Access Level
Root Administrator
Server with patch installed;

Code:
[[email protected] ~]$ uname -r
3.10.0-862.3.2.el7.x86_64
[[email protected] ~]$ rpm -qa |grep kernel
kernel-tools-libs-3.10.0-862.3.2.el7.x86_64
kernel-tools-3.10.0-862.3.2.el7.x86_64
kernel-3.10.0-693.21.1.el7.x86_64
kernel-headers-3.10.0-862.3.2.el7.x86_64
kernel-3.10.0-693.17.1.el7.x86_64
kernelcare-2.14-6.x86_64
kernel-3.10.0-862.2.3.el7.x86_64
kernel-3.10.0-862.3.2.el7.x86_64
kernel-3.10.0-693.11.1.el7.x86_64

[[email protected] ~]$ sudo kcarectl --patch-info
OS: centos7
kernel: kernel-3.10.0-862.3.2.el7
time: 2018-05-24 04:36:53

kpatch-name: 3.10.0/symlink-protection-ge-862.patch
kpatch-description: symlink protection
kpatch-kernel: kernel-3.10.0-514.el7
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: Gerrit Code Review

kpatch-name: 3.10.0/symlink-protection-ge-862.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-3.10.0-514.el7
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: Gerrit Code Review

[[email protected] ~]$ cat /usr/local/cpanel/version
11.70.0.44
[[email protected] ~]$ cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)

Second server without the button showing.

Code:
[[email protected] ~]$ uname -r
3.10.0-862.3.2.el7.x86_64
[[email protected] ~]$ rpm -qa |grep kernel
kernel-3.10.0-862.3.2.el7.x86_64
kernelcare-2.14-6.x86_64
kernel-3.10.0-693.11.1.el7.x86_64
kernel-3.10.0-693.21.1.el7.x86_64
kernel-headers-3.10.0-862.3.2.el7.x86_64
kernel-tools-libs-3.10.0-862.3.2.el7.x86_64
kernel-3.10.0-693.17.1.el7.x86_64
kernel-tools-3.10.0-862.3.2.el7.x86_64
kernel-3.10.0-862.2.3.el7.x86_64
[[email protected] ~]$ sudo kcarectl --patch-info
OS: centos7
kernel: kernel-3.10.0-862.3.2.el7
time: 2018-05-24 04:36:53

kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
kpatch-kernel:
kpatch-cve:
kpatch-cvss:
kpatch-cve-url: Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges
kpatch-patch-url:

uname: 3.10.0-862.3.2.el7

[[email protected] ~]$ cat /usr/local/cpanel/version
11.70.0.44
[[email protected] ~]$ cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
Hi @WorkinOnIt

Thank you for providing all of that information. The big difference I see here is the patch info. On the server without the option you have an entirely different patch coming up:

Code:
[[email protected] ~]$ sudo kcarectl --patch-info
OS: centos7
kernel: kernel-3.10.0-862.3.2.el7
time: 2018-05-24 04:36:53

kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
kpatch-kernel:
kpatch-cve:
kpatch-cvss:
kpatch-cve-url: Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges
kpatch-patch-url:
Is this something that you remember installing?


Thanks!
 

WorkinOnIt

Well-Known Member
Aug 3, 2016
195
28
28
UK
cPanel Access Level
Root Administrator
Yes, I saw that discrepancy too - but I don't remember installing any patches. I'm not even sure what the
proc-restrict-pagemap-access.patch actually does!

What's the best way forward here?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
@WorkinOnIt

I'm going to research this patch and see if I can replicate the issue you're experiencing as well as look for a potential workaround. I'll update you again once I've got some more information.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
Hi @WorkinOnIt

Can you please run the following on the server that isn't showing the symlink protection patch?

Code:
usr/bin/kcarectl --info
/usr/bin/kcarectl --license-info
That patch also came with the following:

KernelCare Directory

I'm wondering if you have the full kernelcare version on this server and because of that patch you're not getting the notification somehow
 

WorkinOnIt

Well-Known Member
Aug 3, 2016
195
28
28
UK
cPanel Access Level
Root Administrator
Hi @cPanelLauren

I ran the above command and it says :

"You have a trial license for the IP 12.34.56.78 that will expire on 2018-05-30"


kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-862.3.2.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Mon May 21 23:36:36 UTC 2018
kpatch-build-time: Wed May 23 21:57:28 2018
kpatch-description: 1-;3.10.0-862.3.2.el7





However, I have not installed Kernel Care on the system - unless that is what got installed along with some update? I'm the only admin on the server, so no-one else could have installed it.

Very odd !! Has this been reported by anyone else? What's the best way to remove it and go with the free patch.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
HI @WorkinOnIt

When just the patch is applied the kpatch-description line looks like this:
Code:
kpatch-description: 2-free;
So it does indeed look like you have the full KernelCare service installed. To uninstall it you can follow the instructions provided by CloudLinux here: KernelCare Documentation

Then you can install just the free patch from the SecurityAdvisor - There are two KernelCare related notifications that come up when running the security advisor, one is yellow for the full KernelCare product and the other is red for symlink protection only.