The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

x86_64 Kernel Exploit

Discussion in 'Security' started by hermit, Sep 18, 2010.

  1. hermit

    hermit Active Member

    Joined:
    Sep 22, 2004
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    8
  2. xuser

    xuser Member

    Joined:
    Jun 21, 2007
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
  3. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    Ahum,

    Not even Centos have released anything yet.

    I'm 64bit based and have already applied the patch. This is a tempory must as the "script kiddies" are running wild on this.
     
  4. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    *** This only affects x86_64 machines. Please ignore this message if you are running a i386/32-bit only machine ***

    *** The below is a temporary workaround for the recent local root security hole in the Linux kernel. This workaround will adversely affect some systems. A partial list of this adverse reactions is listed below. Please think carefully, and seek the advise of an expert if you are unsure if you should apply this workaround. As soon is it becomes available and deemed stable for use, you should get an updated kernel from your Linux kernel vendor. ***

    This "patch"
    Code:
    echo ':32bits:M:0:\x7fELF\x01::/bin/echo:' > /proc/sys/fs/binfmt_misc/register
    will break anything that requires 32-bit compatibility mode. cPanel does distribute true 64 bit binaries. *In theory* most things should be fine.


    So far we have found that most things work just fine (be sure to apply the attached patch before doing this to avoid problems on the next update):

    - it *may* break php when mySQL versions are updated (easyapache should fix this)
    - courier and mysql get installed from source instead of binary (patch attached -- apply in /scripts with
    Code:
    patch -p0 < courierup-mysqlup-32bitdisabled.patch.txt
    -- this will be published in the next EDGE)
    - frontpage (if you still have it) breaks.
    - third party 32bit only apache modules may break.

    There are probably some more things that have not been found yet.
     

    Attached Files:

  5. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    FrontPage

    Like it or not, we still have a LOT of people that use FrontPage extensions to publish.

    I'd be interested in any workarounds that would allow us to patch for this exploit and still support FrontPage extensions/publishing.

    - Scott
     
  6. z00dax

    z00dax Registered

    Joined:
    Aug 1, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Tracking this issue: CentOS

    We are tracking this issue within CentOS at : 0004518: CVE-2010-3081 - CentOS Bug Tracker

    Also, its important that people realise the code does not need to be built locally, it can be injected and deployed over a remote hole in an existing application installed on your machine ( like WHM itself or anything contained within WHM or apps the users deploy ).

    --
    Karanbir Singh <http://www.karan.org/>
     
  7. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Hey people,

    If you subscribe to ksplice, they already have a fix available for a reboot-less upgrade. Otherwise, there are patches available, if disabling 32-bit binaries is not an option for you.

    Please see:

    Nasty Kernel Exploit in the Wild :: The cPanel Admin
     
  8. mtbwacko

    mtbwacko Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Ksplice Question

    Well, I attempted to install the Ksplice system but get an error with CENTOS 5.5 x86_64:

    error: Failed dependencies:
    rpmlib(FileDigests) <= 4.6.0-1 is needed by ksplice-uptrack-release-1-3.noarch
    rpmlib(PayloadIsXz) <= 5.2-1 is needed by ksplice-uptrack-release-1-3.noarch

    I've searched and searched and can't find these anywhere, but I did find a lot of forum posts from others with the same problem. Does anyone have a solution for this?
     
  9. hekri

    hekri Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    149
    Likes Received:
    2
    Trophy Points:
    18
    I installed Ksplice on 6 servers and apply patch :)
     
  10. xuser

    xuser Member

    Joined:
    Jun 21, 2007
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Did you first checked if your system is not compromised?
     
  11. hekri

    hekri Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    149
    Likes Received:
    2
    Trophy Points:
    18
  12. rligg

    rligg Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    16
    Where are the patches that keep 32bit intact?
     
  13. mtbwacko

    mtbwacko Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    I also checked to make sure the server was clean and it was, but I still can't install Ksplice due to:

    error: Failed dependencies:
    rpmlib(FileDigests) <= 4.6.0-1 is needed by ksplice-uptrack-release-1-3.noarch
    rpmlib(PayloadIsXz) <= 5.2-1 is needed by ksplice-uptrack-release-1-3.noarch

    I have an email in to Ksplice but they are probably overwhelmed right now with orders and trial downloads. I just hope I can figure this out before the server is hit.
     
  14. servermanaged

    servermanaged Registered

    Joined:
    Sep 20, 2010
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for sharing.
     
  15. rligg

    rligg Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    16
    Have you found a solution for this?
     
  16. Valuehosted

    Valuehosted Well-Known Member

    Joined:
    Dec 12, 2002
    Messages:
    124
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sweden
    Will installing and running ksplice interfere or cause issues with cPanel?

    I assume not as you are sort of promoting it; just making sure. :)

    Kind Regards,
    Tony
     
  17. onlysim

    onlysim Registered

    Joined:
    Sep 20, 2010
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    What if disable upcp

    Hello,

    Will it be effective if we temporary disable auto update cpanel and apply patch to disable 32bits binaries till official fix released from RH for Centos ?
     
  18. jenlepp

    jenlepp Well-Known Member

    Joined:
    Jul 4, 2005
    Messages:
    116
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Liberty Hill, TX
    cPanel Access Level:
    DataCenter Provider
    I applied this patch, and ever since then, I have had massive problems with MySQL on the servers with crashing, problems restarting, MySQL errors. You name it, I've seen it.

    Does anyone know how to undo this patch? I've been looking, I have my DC's admins looking, and we're all baffled at what we're seeing.
     
  19. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I would think your OS vender will be providing a path forward on this soon enough. Today, the next few days? Not sure. But I would also think you could ask your users not to use frontpage (or let them try to and then tell them when they put in a ticket it's been disabled temporarily) until that fix is available from your vendor. Just thinking out loud here I suppose...

    That (disabling updates) will have no effect on this I don't think.

    If you're having a problem with this, I'm sure cPanel wants to know about it. I suggest a ticket be put in and link them to this thread in the ticket.
     
  20. brulinux

    brulinux Registered

    Joined:
    Sep 7, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
Loading...

Share This Page