Two major vulnerabilities in Kernel v2.6.x. PLEASE READ

[AndyReed]

Two major vulnerabilities in Kernel v2.6.x.

On Friday July 14th, 2006 an exploit was widely posted for a vulnerability in the Linux 2.6 kernel, CVE-2006-3626 and CVE-2006-2451, which attempts to allow a local user to gain root privileges. The exploit relies on the kernel supporting the a.out binary format.

These two vulnerabilities do not affect Red Hat Enterprise Linux v2.1 or v3 as they are based on v2.4 kernels.

Those two vulnerabilities allows anyone to gain full root access to your server. A remote shell (SSH) access is not required in this case, a simple FTP or bad/insecure Php script is enough to gain root access to your server.

- CVE-2006-2451
This vulnerability was fixed in version 2.6.17.4 of the Linux kernel. For more information, go to:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2451

- CVE-2006-3626
This vulnerability was fixed in version 2.6.17.5 of the Linux kernel. For more information, go to:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-3626

 

[cinusik]

Thanks for posting AndyReed.
One of our 14 servers was hacked this way yesterday.
Hacker gained root privileges but hopefully we logged to the server 30 minutes after him. He only swapped all the index.* files with his own index.htm and he removed whole /var/log directory but he could execute any command like for example rm -rf *

Really serious vulnerability, EVERYBODY using custom build 2.6.xx kernels and some vendor relases kernels BE CAREFULL, update your kernels ASAP.

 

[webignition]

What might be the best option for those, like myself, who prefer to stick with the latest vendor release?

I'm using 2.6.9-34.ELsmp which, as far as I'm aware, is the latest CentOS 4.3 X86_64 kernel.

The only option I can think of is to wait for CentOS to churn out a new kernel. Would there be any other options?

 

[chirpy]

It doesn't affect CentOS kernels. It only affects those with custom built kernels, not those who use OS vendor sourced ones. There shouldn't be any need for this thread for those people, as those with custom kernels should be watching kernel.org continually anyway, as this is the constant risk of not using vendor supplied kernels.

 

[webignition]

Thanks for the clarification.

 

[Earendil]

It doesn't affect CentOS kernels. It only affects those with custom built kernels, not those who use OS vendor sourced ones. There shouldn't be any need for this thread for those people, as those with custom kernels should be watching kernel.org continually anyway, as this is the constant risk of not using vendor supplied kernels.

It does affect CentOS kernels, I know of at least 1 box that got rooted by this exploit yesterday (not ours).
If you run the latest kernel, you're safe.
Which is 2.6.9-34.0.2.EL by the way..

 

[chirpy]

Well, yes, if you haven't kept up to date with your kernels you will be caught, I wasn't implying that their kernels are invulnerable, just that the latest ones are meant to have been patched for the vulnerability, i.e. 2.6.9-34.0.2. If you've been hacked and on that kernel you need to report it to RedHat since it's meant to be fixed.

 

[BianchiDude]

Why does WHM catch this when you log in?

I had a test server running 2.6.9-22.ELsmp and WHM DIDN'T alert me that kernel.

And I have a even older test server that was running 2.4.20-24.7 and it DID notify me.

Whats going on? Is WHM going to tell us or not? They should pick on so people either rely on WHM or dont.

 

[chirpy]

You most certainly should not rely on security issues on the WHM news. That's your responsibility as the server administrator. The kernel issues have been known about for some time and it's your job to know that by subscribing to and reading security alerts of the OS you're using as well as the common security mailing lists.

 

[jamesbond]

I find it confusing. Some people are posting on forums that the latest CentOS kernel is vulnerable to the /proc race condition if you have SELinux disabled (if I understood this correctly)


They recommend mounting /proc as nosuid as a fix (which is supposed to be a good general security measure anyway it seems)

 

[kris1351]

Levels of the kernel below what Chirpy was saying are vulnerable to this and custom compiled kernels below 2.5.17.5 are vulnerable also. Mounting proc like the article suggests is a work around.

 

[claudio]

Yesterday someone inejct by a /phplive/setup/header.php (live help)
some scripts from php to /tmp

fortunatly he cannot use lynx or compile (at least it seem so )
sometimes they try backdoors, other rootkits, etc
well one of this scripts was called real.c and it has this header

* Linux Kernel Module Loader Local R00t Exploit
* Up to 2.4.20
* By anonymous KuRaK
*

i have some centos 3.4 boxes just a few and only one redhat 9

all of then has 2.4.21-37.EL #1 kernels or similars

i took a brief look into the perl code of this kernel exploit and it didnt proceed executing well so i dont know if i should upgrade this kernels or leave then in this original old not customized versions

does anyone know if kernel upgrades can mess other functions such as logs, stats, php, etc?

or to boot with lilo options to reboot back to last kernels is really safe to me?

to compile a new kernel took a long time?

should i consider downloading new rpm packages or just the main kernel is fine?

best regards

Claudio