Two major vulnerabilities in Kernel v2.6.x. PLEASE READ

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,221
4
193
Minneapolis, MN
Two major vulnerabilities in Kernel v2.6.x.

On Friday July 14th, 2006 an exploit was widely posted for a vulnerability in the Linux 2.6 kernel, CVE-2006-3626 and CVE-2006-2451, which attempts to allow a local user to gain root privileges. The exploit relies on the kernel supporting the a.out binary format.

These two vulnerabilities do not affect Red Hat Enterprise Linux v2.1 or v3 as they are based on v2.4 kernels.

Those two vulnerabilities allows anyone to gain full root access to your server. A remote shell (SSH) access is not required in this case, a simple FTP or bad/insecure Php script is enough to gain root access to your server.

- CVE-2006-2451
This vulnerability was fixed in version 2.6.17.4 of the Linux kernel. For more information, go to:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2451

- CVE-2006-3626
This vulnerability was fixed in version 2.6.17.5 of the Linux kernel. For more information, go to:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-3626
 
Last edited by a moderator:

cinusik

Active Member
Jul 31, 2003
38
1
158
cPanel Access Level
Root Administrator
Thanks for posting AndyReed.
One of our 14 servers was hacked this way yesterday.
Hacker gained root privileges but hopefully we logged to the server 30 minutes after him. He only swapped all the index.* files with his own index.htm and he removed whole /var/log directory but he could execute any command like for example rm -rf *

Really serious vulnerability, EVERYBODY using custom build 2.6.xx kernels and some vendor relases kernels BE CAREFULL, update your kernels ASAP.
 
Last edited:

webignition

Well-Known Member
Jan 22, 2005
1,880
0
166
What might be the best option for those, like myself, who prefer to stick with the latest vendor release?

I'm using 2.6.9-34.ELsmp which, as far as I'm aware, is the latest CentOS 4.3 X86_64 kernel.

The only option I can think of is to wait for CentOS to churn out a new kernel. Would there be any other options?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
It doesn't affect CentOS kernels. It only affects those with custom built kernels, not those who use OS vendor sourced ones. There shouldn't be any need for this thread for those people, as those with custom kernels should be watching kernel.org continually anyway, as this is the constant risk of not using vendor supplied kernels.
 
Last edited:

Earendil

Well-Known Member
Jun 10, 2004
102
0
166
chirpy said:
It doesn't affect CentOS kernels. It only affects those with custom built kernels, not those who use OS vendor sourced ones. There shouldn't be any need for this thread for those people, as those with custom kernels should be watching kernel.org continually anyway, as this is the constant risk of not using vendor supplied kernels.
It does affect CentOS kernels, I know of at least 1 box that got rooted by this exploit yesterday (not ours).
If you run the latest kernel, you're safe.
Which is 2.6.9-34.0.2.EL by the way..
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
Well, yes, if you haven't kept up to date with your kernels you will be caught, I wasn't implying that their kernels are invulnerable, just that the latest ones are meant to have been patched for the vulnerability, i.e. 2.6.9-34.0.2. If you've been hacked and on that kernel you need to report it to RedHat since it's meant to be fixed.
 

BianchiDude

Well-Known Member
PartnerNOC
Jul 2, 2005
619
0
166
Why does WHM catch this when you log in?

I had a test server running 2.6.9-22.ELsmp and WHM DIDN'T alert me that kernel.

And I have a even older test server that was running 2.4.20-24.7 and it DID notify me.

Whats going on? Is WHM going to tell us or not? They should pick on so people either rely on WHM or dont.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
You most certainly should not rely on security issues on the WHM news. That's your responsibility as the server administrator. The kernel issues have been known about for some time and it's your job to know that by subscribing to and reading security alerts of the OS you're using as well as the common security mailing lists.
 

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
I find it confusing. Some people are posting on forums that the latest CentOS kernel is vulnerable to the /proc race condition if you have SELinux disabled (if I understood this correctly)


They recommend mounting /proc as nosuid as a fix (which is supposed to be a good general security measure anyway it seems)
 
Last edited:

kris1351

Well-Known Member
Apr 18, 2003
963
0
166
Lewisville, Tx
Levels of the kernel below what Chirpy was saying are vulnerable to this and custom compiled kernels below 2.5.17.5 are vulnerable also. Mounting proc like the article suggests is a work around.
 

claudio

Well-Known Member
Jul 31, 2004
201
0
166
Yesterday someone inejct by a /phplive/setup/header.php (live help)
some scripts from php to /tmp

fortunatly he cannot use lynx or compile (at least it seem so :( )
sometimes they try backdoors, other rootkits, etc
well one of this scripts was called real.c and it has this header

* Linux Kernel Module Loader Local R00t Exploit
* Up to 2.4.20
* By anonymous KuRaK
*

i have some centos 3.4 boxes just a few and only one redhat 9

all of then has 2.4.21-37.EL #1 kernels or similars

i took a brief look into the perl code of this kernel exploit and it didnt proceed executing well so i dont know if i should upgrade this kernels or leave then in this original old not customized versions

does anyone know if kernel upgrades can mess other functions such as logs, stats, php, etc?

or to boot with lilo options to reboot back to last kernels is really safe to me?

to compile a new kernel took a long time?

should i consider downloading new rpm packages or just the main kernel is fine?

best regards

Claudio
 
Last edited: