The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Two major vulnerabilities in Kernel v2.6.x. PLEASE READ

Discussion in 'General Discussion' started by AndyReed, Jul 19, 2006.

  1. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Two major vulnerabilities in Kernel v2.6.x.

    On Friday July 14th, 2006 an exploit was widely posted for a vulnerability in the Linux 2.6 kernel, CVE-2006-3626 and CVE-2006-2451, which attempts to allow a local user to gain root privileges. The exploit relies on the kernel supporting the a.out binary format.

    These two vulnerabilities do not affect Red Hat Enterprise Linux v2.1 or v3 as they are based on v2.4 kernels.

    Those two vulnerabilities allows anyone to gain full root access to your server. A remote shell (SSH) access is not required in this case, a simple FTP or bad/insecure Php script is enough to gain root access to your server.

    - CVE-2006-2451
    This vulnerability was fixed in version 2.6.17.4 of the Linux kernel. For more information, go to:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2451

    - CVE-2006-3626
    This vulnerability was fixed in version 2.6.17.5 of the Linux kernel. For more information, go to:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-3626
     
    #1 AndyReed, Jul 19, 2006
    Last edited by a moderator: Jul 20, 2006
  2. cinusik

    cinusik Active Member

    Joined:
    Jul 31, 2003
    Messages:
    34
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Thanks for posting AndyReed.
    One of our 14 servers was hacked this way yesterday.
    Hacker gained root privileges but hopefully we logged to the server 30 minutes after him. He only swapped all the index.* files with his own index.htm and he removed whole /var/log directory but he could execute any command like for example rm -rf *

    Really serious vulnerability, EVERYBODY using custom build 2.6.xx kernels and some vendor relases kernels BE CAREFULL, update your kernels ASAP.
     
    #2 cinusik, Jul 20, 2006
    Last edited: Jul 20, 2006
  3. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    What might be the best option for those, like myself, who prefer to stick with the latest vendor release?

    I'm using 2.6.9-34.ELsmp which, as far as I'm aware, is the latest CentOS 4.3 X86_64 kernel.

    The only option I can think of is to wait for CentOS to churn out a new kernel. Would there be any other options?
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It doesn't affect CentOS kernels. It only affects those with custom built kernels, not those who use OS vendor sourced ones. There shouldn't be any need for this thread for those people, as those with custom kernels should be watching kernel.org continually anyway, as this is the constant risk of not using vendor supplied kernels.
     
    #4 chirpy, Jul 20, 2006
    Last edited: Jul 20, 2006
  5. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Thanks for the clarification.
     
  6. Earendil

    Earendil Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    It does affect CentOS kernels, I know of at least 1 box that got rooted by this exploit yesterday (not ours).
    If you run the latest kernel, you're safe.
    Which is 2.6.9-34.0.2.EL by the way..
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, yes, if you haven't kept up to date with your kernels you will be caught, I wasn't implying that their kernels are invulnerable, just that the latest ones are meant to have been patched for the vulnerability, i.e. 2.6.9-34.0.2. If you've been hacked and on that kernel you need to report it to RedHat since it's meant to be fixed.
     
  8. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    Why does WHM catch this when you log in?

    I had a test server running 2.6.9-22.ELsmp and WHM DIDN'T alert me that kernel.

    And I have a even older test server that was running 2.4.20-24.7 and it DID notify me.

    Whats going on? Is WHM going to tell us or not? They should pick on so people either rely on WHM or dont.
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You most certainly should not rely on security issues on the WHM news. That's your responsibility as the server administrator. The kernel issues have been known about for some time and it's your job to know that by subscribing to and reading security alerts of the OS you're using as well as the common security mailing lists.
     
  10. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I find it confusing. Some people are posting on forums that the latest CentOS kernel is vulnerable to the /proc race condition if you have SELinux disabled (if I understood this correctly)


    They recommend mounting /proc as nosuid as a fix (which is supposed to be a good general security measure anyway it seems)
     
    #10 jamesbond, Aug 3, 2006
    Last edited: Aug 4, 2006
  11. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Levels of the kernel below what Chirpy was saying are vulnerable to this and custom compiled kernels below 2.5.17.5 are vulnerable also. Mounting proc like the article suggests is a work around.
     
  12. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    Yesterday someone inejct by a /phplive/setup/header.php (live help)
    some scripts from php to /tmp

    fortunatly he cannot use lynx or compile (at least it seem so :( )
    sometimes they try backdoors, other rootkits, etc
    well one of this scripts was called real.c and it has this header

    * Linux Kernel Module Loader Local R00t Exploit
    * Up to 2.4.20
    * By anonymous KuRaK
    *

    i have some centos 3.4 boxes just a few and only one redhat 9

    all of then has 2.4.21-37.EL #1 kernels or similars

    i took a brief look into the perl code of this kernel exploit and it didnt proceed executing well so i dont know if i should upgrade this kernels or leave then in this original old not customized versions

    does anyone know if kernel upgrades can mess other functions such as logs, stats, php, etc?

    or to boot with lilo options to reboot back to last kernels is really safe to me?

    to compile a new kernel took a long time?

    should i consider downloading new rpm packages or just the main kernel is fine?

    best regards

    Claudio
     
    #12 claudio, Sep 9, 2006
    Last edited: Sep 9, 2006
Loading...

Share This Page