x86_64 Kernel Exploit

[hermit]

Full Disclosure: Workaround for Ac1db1tch3z exploit.

Does the default install depend on any 32 bit binaries?

 

[xuser]

Serious Kernel Exploit - Affects x86_64 (including default rhel5)

[merged] Serious Kernel Exploit - Affects x86_64 (including default rhel5) - Web Hosting Talk

Can we have words from cPanel team about this?

 

[GaryT]

Ahum,

Not even Centos have released anything yet.

I'm 64bit based and have already applied the patch. This is a tempory must as the "script kiddies" are running wild on this.

 

[cPanelNick]

*** This only affects x86_64 machines. Please ignore this message if you are running a i386/32-bit only machine ***

*** The below is a temporary workaround for the recent local root security hole in the Linux kernel. This workaround will adversely affect some systems. A partial list of this adverse reactions is listed below. Please think carefully, and seek the advise of an expert if you are unsure if you should apply this workaround. As soon is it becomes available and deemed stable for use, you should get an updated kernel from your Linux kernel vendor. ***

This "patch"

echo ':32bits:M:0:\x7fELF\x01::/bin/echo:' > /proc/sys/fs/binfmt_misc/register

will break anything that requires 32-bit compatibility mode. cPanel does distribute true 64 bit binaries. *In theory* most things should be fine.


So far we have found that most things work just fine (be sure to apply the attached patch before doing this to avoid problems on the next update):

- it *may* break php when mySQL versions are updated (easyapache should fix this)
- courier and mysql get installed from source instead of binary (patch attached -- apply in /scripts with

patch -p0 < courierup-mysqlup-32bitdisabled.patch.txt

-- this will be published in the next EDGE)
- frontpage (if you still have it) breaks.
- third party 32bit only apache modules may break.

There are probably some more things that have not been found yet.

 

[sneader]

FrontPage

Like it or not, we still have a LOT of people that use FrontPage extensions to publish.

I'd be interested in any workarounds that would allow us to patch for this exploit and still support FrontPage extensions/publishing.

- Scott

 

[z00dax]

Tracking this issue: CentOS

We are tracking this issue within CentOS at : 0004518: CVE-2010-3081 - CentOS Bug Tracker

Also, its important that people realise the code does not need to be built locally, it can be injected and deployed over a remote hole in an existing application installed on your machine ( like WHM itself or anything contained within WHM or apps the users deploy ).

--
Karanbir Singh <http://www.karan.org/>

 

[vanessa]

Hey people,

If you subscribe to ksplice, they already have a fix available for a reboot-less upgrade. Otherwise, there are patches available, if disabling 32-bit binaries is not an option for you.

Please see:

Nasty Kernel Exploit in the Wild :: The cPanel Admin

 

[mtbwacko]

Ksplice Question

Well, I attempted to install the Ksplice system but get an error with CENTOS 5.5 x86_64:

error: Failed dependencies:
rpmlib(FileDigests) <= 4.6.0-1 is needed by ksplice-uptrack-release-1-3.noarch
rpmlib(PayloadIsXz) <= 5.2-1 is needed by ksplice-uptrack-release-1-3.noarch

I've searched and searched and can't find these anywhere, but I did find a lot of forum posts from others with the same problem. Does anyone have a solution for this?

 

[hekri]

I installed Ksplice on 6 servers and apply patch

 

[xuser]

I installed Ksplice on 6 servers and apply patch

Did you first checked if your system is not compromised?

 

[hekri]

Yes i checked. Instruction: https://www.ksplice.com/uptrack/cve-2010-3081.ssi.xhtml


After checed install ksplice and run:
uptrack-upgrade -y

 

[rligg]

Hey people,

If you subscribe to ksplice, they already have a fix available for a reboot-less upgrade. Otherwise, there are patches available, if disabling 32-bit binaries is not an option for you.

Please see:

Nasty Kernel Exploit in the Wild :: The cPanel Admin

Where are the patches that keep 32bit intact?

 

[mtbwacko]

I also checked to make sure the server was clean and it was, but I still can't install Ksplice due to:

error: Failed dependencies:
rpmlib(FileDigests) <= 4.6.0-1 is needed by ksplice-uptrack-release-1-3.noarch
rpmlib(PayloadIsXz) <= 5.2-1 is needed by ksplice-uptrack-release-1-3.noarch

I have an email in to Ksplice but they are probably overwhelmed right now with orders and trial downloads. I just hope I can figure this out before the server is hit.

 

[servermanaged]

Hey people,

If you subscribe to ksplice, they already have a fix available for a reboot-less upgrade. Otherwise, there are patches available, if disabling 32-bit binaries is not an option for you.

Please see:

Nasty Kernel Exploit in the Wild :: The cPanel Admin

Thanks for sharing.

 

[rligg]

Like it or not, we still have a LOT of people that use FrontPage extensions to publish.

I'd be interested in any workarounds that would allow us to patch for this exploit and still support FrontPage extensions/publishing.

- Scott

Have you found a solution for this?

 

[Valuehosted]

Will installing and running ksplice interfere or cause issues with cPanel?

I assume not as you are sort of promoting it; just making sure.

Kind Regards,
Tony

 

[onlysim]

What if disable upcp

Hello,

Will it be effective if we temporary disable auto update cpanel and apply patch to disable 32bits binaries till official fix released from RH for Centos ?

 

[jenlepp]

[
This "patch"

echo ':32bits:M:0:\x7fELF\x01::/bin/echo:' > /proc/sys/fs/binfmt_misc/register

will break anything that requires 32-bit compatibility mode. cPanel does distribute true 64 bit binaries. *In theory* most things should be fine.

I applied this patch, and ever since then, I have had massive problems with MySQL on the servers with crashing, problems restarting, MySQL errors. You name it, I've seen it.

Does anyone know how to undo this patch? I've been looking, I have my DC's admins looking, and we're all baffled at what we're seeing.

 

[Infopro]

Like it or not, we still have a LOT of people that use FrontPage extensions to publish.

I'd be interested in any workarounds that would allow us to patch for this exploit and still support FrontPage extensions/publishing.

- Scott

I would think your OS vender will be providing a path forward on this soon enough. Today, the next few days? Not sure. But I would also think you could ask your users not to use frontpage (or let them try to and then tell them when they put in a ticket it's been disabled temporarily) until that fix is available from your vendor. Just thinking out loud here I suppose...

Hello,

Will it be effective if we temporary disable auto update cpanel and apply patch to disable 32bits binaries till official fix released from RH for Centos ?

That (disabling updates) will have no effect on this I don't think.

I applied this patch, and ever since then, I have had massive problems with MySQL on the servers with crashing, problems restarting, MySQL errors. You name it, I've seen it.

Does anyone know how to undo this patch? I've been looking, I have my DC's admins looking, and we're all baffled at what we're seeing.

If you're having a problem with this, I'm sure cPanel wants to know about it. I suggest a ticket be put in and link them to this thread in the ticket.

 

[brulinux]

If you need to remove the path, run the following command as the root user to restore the default:

echo -1 > /proc/sys/fs/binfmt_misc/32bits

Font: https://access.redhat.com/kb/docs/DOC-40265