Full Disclosure: Workaround for Ac1db1tch3z exploit.
Does the default install depend on any 32 bit binaries?
Does the default install depend on any 32 bit binaries?
Serious Kernel Exploit - Affects x86_64 (including default rhel5)
[merged] Serious Kernel Exploit - Affects x86_64 (including default rhel5) - Web Hosting Talk
Can we have words from cPanel team about this?
[merged] Serious Kernel Exploit - Affects x86_64 (including default rhel5) - Web Hosting Talk
Can we have words from cPanel team about this?
*** This only affects x86_64 machines. Please ignore this message if you are running a i386/32-bit only machine ***
*** The below is a temporary workaround for the recent local root security hole in the Linux kernel. This workaround will adversely affect some systems. A partial list of this adverse reactions is listed below. Please think carefully, and seek the advise of an expert if you are unsure if you should apply this workaround. As soon is it becomes available and deemed stable for use, you should get an updated kernel from your Linux kernel vendor. ***
This "patch"
will break anything that requires 32-bit compatibility mode. cPanel does distribute true 64 bit binaries. *In theory* most things should be fine.
So far we have found that most things work just fine (be sure to apply the attached patch before doing this to avoid problems on the next update):
- it *may* break php when mySQL versions are updated (easyapache should fix this)
- courier and mysql get installed from source instead of binary (patch attached -- apply in /scripts with
-- this will be published in the next EDGE)
- frontpage (if you still have it) breaks.
- third party 32bit only apache modules may break.
There are probably some more things that have not been found yet.
*** The below is a temporary workaround for the recent local root security hole in the Linux kernel. This workaround will adversely affect some systems. A partial list of this adverse reactions is listed below. Please think carefully, and seek the advise of an expert if you are unsure if you should apply this workaround. As soon is it becomes available and deemed stable for use, you should get an updated kernel from your Linux kernel vendor. ***
This "patch"
Code:
echo ':32bits:M:0:\x7fELF\x01::/bin/echo:' > /proc/sys/fs/binfmt_misc/registerSo far we have found that most things work just fine (be sure to apply the attached patch before doing this to avoid problems on the next update):
- it *may* break php when mySQL versions are updated (easyapache should fix this)
- courier and mysql get installed from source instead of binary (patch attached -- apply in /scripts with
Code:
patch -p0 < courierup-mysqlup-32bitdisabled.patch.txt- frontpage (if you still have it) breaks.
- third party 32bit only apache modules may break.
There are probably some more things that have not been found yet.
FrontPage
Like it or not, we still have a LOT of people that use FrontPage extensions to publish.
I'd be interested in any workarounds that would allow us to patch for this exploit and still support FrontPage extensions/publishing.
- Scott
Like it or not, we still have a LOT of people that use FrontPage extensions to publish.
I'd be interested in any workarounds that would allow us to patch for this exploit and still support FrontPage extensions/publishing.
- Scott
Tracking this issue: CentOS
We are tracking this issue within CentOS at : 0004518: CVE-2010-3081 - CentOS Bug Tracker
Also, its important that people realise the code does not need to be built locally, it can be injected and deployed over a remote hole in an existing application installed on your machine ( like WHM itself or anything contained within WHM or apps the users deploy ).
--
Karanbir Singh <http://www.karan.org/>
We are tracking this issue within CentOS at : 0004518: CVE-2010-3081 - CentOS Bug Tracker
Also, its important that people realise the code does not need to be built locally, it can be injected and deployed over a remote hole in an existing application installed on your machine ( like WHM itself or anything contained within WHM or apps the users deploy ).
--
Karanbir Singh <http://www.karan.org/>
Hey people,
If you subscribe to ksplice, they already have a fix available for a reboot-less upgrade. Otherwise, there are patches available, if disabling 32-bit binaries is not an option for you.
Please see:
Nasty Kernel Exploit in the Wild :: The cPanel Admin
If you subscribe to ksplice, they already have a fix available for a reboot-less upgrade. Otherwise, there are patches available, if disabling 32-bit binaries is not an option for you.
Please see:
Nasty Kernel Exploit in the Wild :: The cPanel Admin
Ksplice Question
Well, I attempted to install the Ksplice system but get an error with CENTOS 5.5 x86_64:
error: Failed dependencies:
rpmlib(FileDigests) <= 4.6.0-1 is needed by ksplice-uptrack-release-1-3.noarch
rpmlib(PayloadIsXz) <= 5.2-1 is needed by ksplice-uptrack-release-1-3.noarch
I've searched and searched and can't find these anywhere, but I did find a lot of forum posts from others with the same problem. Does anyone have a solution for this?
Well, I attempted to install the Ksplice system but get an error with CENTOS 5.5 x86_64:
error: Failed dependencies:
rpmlib(FileDigests) <= 4.6.0-1 is needed by ksplice-uptrack-release-1-3.noarch
rpmlib(PayloadIsXz) <= 5.2-1 is needed by ksplice-uptrack-release-1-3.noarch
I've searched and searched and can't find these anywhere, but I did find a lot of forum posts from others with the same problem. Does anyone have a solution for this?
Did you first checked if your system is not compromised?I installed Ksplice on 6 servers and apply patch
Yes i checked. Instruction: https://www.ksplice.com/uptrack/cve-2010-3081.ssi.xhtml
After checed install ksplice and run:
uptrack-upgrade -y
After checed install ksplice and run:
uptrack-upgrade -y
I also checked to make sure the server was clean and it was, but I still can't install Ksplice due to:
error: Failed dependencies:
rpmlib(FileDigests) <= 4.6.0-1 is needed by ksplice-uptrack-release-1-3.noarch
rpmlib(PayloadIsXz) <= 5.2-1 is needed by ksplice-uptrack-release-1-3.noarch
I have an email in to Ksplice but they are probably overwhelmed right now with orders and trial downloads. I just hope I can figure this out before the server is hit.
error: Failed dependencies:
rpmlib(FileDigests) <= 4.6.0-1 is needed by ksplice-uptrack-release-1-3.noarch
rpmlib(PayloadIsXz) <= 5.2-1 is needed by ksplice-uptrack-release-1-3.noarch
I have an email in to Ksplice but they are probably overwhelmed right now with orders and trial downloads. I just hope I can figure this out before the server is hit.
Will installing and running ksplice interfere or cause issues with cPanel?
I assume not as you are sort of promoting it; just making sure.
Kind Regards,
Tony
I assume not as you are sort of promoting it; just making sure.
Kind Regards,
Tony
I applied this patch, and ever since then, I have had massive problems with MySQL on the servers with crashing, problems restarting, MySQL errors. You name it, I've seen it.
Does anyone know how to undo this patch? I've been looking, I have my DC's admins looking, and we're all baffled at what we're seeing.
Infopro
Well-Known Member
I would think your OS vender will be providing a path forward on this soon enough. Today, the next few days? Not sure. But I would also think you could ask your users not to use frontpage (or let them try to and then tell them when they put in a ticket it's been disabled temporarily) until that fix is available from your vendor. Just thinking out loud here I suppose...
That (disabling updates) will have no effect on this I don't think.
If you're having a problem with this, I'm sure cPanel wants to know about it. I suggest a ticket be put in and link them to this thread in the ticket.
If you need to remove the path, run the following command as the root user to restore the default:
echo -1 > /proc/sys/fs/binfmt_misc/32bits
Font: https://access.redhat.com/kb/docs/DOC-40265
echo -1 > /proc/sys/fs/binfmt_misc/32bits
Font: https://access.redhat.com/kb/docs/DOC-40265