Hi all.
Julien Tinnes and Tavis Ormandy from the Google Security Team have recently found a Linux kernel vulnerability which affects all 2.4 and 2.6 kernels since 2001 on all architectures. Please read the announcement on LWM: http://lwn.net/Articles/347006/ for further information about the vulnerability and the exploit which has been provided by Brad Spengler (you will find updates on his twitter site).
The only workaroud that is known to me atm is to disable the affected kernel modules (which should be handled with care as some of them may provide necessary functionality in your operating environment):
echo "alias net-pf-3 off # Amateur Radio AX.25 alias net-pf-4 ipx # IPX alias net-pf-5 off # DDP / AppleTalk alias net-pf-9 off # X.25 # alias net-pf-10 off # IPv6 alias net-pf-23 off # IrDA alias net-pf-24 # PPPoE alias net-pf-31 off # Bluetooth" >> /etc/modprobe.conf
Best Regards Marcus
Marcus Moeller wrote on Fri, 14 Aug 2009 14:24:39 +0200:
The only workaroud that is known to me atm is to disable the affected kernel modules (which should be handled with care as some of them may provide necessary functionality in your operating environment):
If vm.mmap_min_addr is > 0 you are also not affected, at least not by that exploit.
http://www.h-online.com/security/Critical-vulnerability-in-the-Linux- kernel-affects-all-versions-since-2001--/news/114004
CentOS 5 has it sent to 65536 by default. CentoS 4 should be vulnerable.
Kai
Have you tried the exploit on CentOS 5?
http://grsecurity.net/~spender/wunderbar_emporium.tgz
I only have access to a Fedora 9 machine right now and the exploit is working with all the modules from the first mail disabled in modprobe.conf
[root@localhost ~]# uname -a Linux localhost.localdomain 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686 i386 GNU/Linux [root@localhost ~]# cat /proc/sys/vm/mmap_min_addr 65536
Regards,
Radu
Hi again,
The only workaroud that is known to me atm is to disable the affected kernel modules (which should be handled with care as some of them may provide necessary functionality in your operating environment):
If vm.mmap_min_addr is > 0 you are also not affected, at least not by that exploit.
http://www.h-online.com/security/Critical-vulnerability-in-the-Linux- kernel-affects-all-versions-since-2001--/news/114004
CentOS 5 has it sent to 65536 by default. CentoS 4 should be vulnerable.
Please note that there is a problem with the SELinux policy shipped in RHEL5, which by default will let anyone mmap at NULL!
Best Regards Marcus
On Friday 14 August 2009, Kai Schaetzl wrote:
Marcus Moeller wrote on Fri, 14 Aug 2009 14:24:39 +0200:
The only workaroud that is known to me atm is to disable the affected kernel modules (which should be handled with care as some of them may provide necessary functionality in your operating environment):
If vm.mmap_min_addr is > 0 you are also not affected, at least not by that exploit.
...Unless you have selinux enabled in any way (including permissive) since in this case selinux overrides the kernel setting and makes vm.mmap_min_addr==0.
/Peter
http://www.h-online.com/security/Critical-vulnerability-in-the-Linux- kernel-affects-all-versions-since-2001--/news/114004
CentOS 5 has it sent to 65536 by default. CentoS 4 should be vulnerable.
Kai
Hi again.
alias net-pf-24 # PPPoE
Sorry, typo in pf-24.
grep -q '^alias net-pf-3 off' /etc/modprobe.conf || \ echo 'alias net-pf-3 off' >> /etc/modprobe.conf grep -q '^alias net-pf-4 off' /etc/modprobe.conf || \ echo 'alias net-pf-4 off' >> /etc/modprobe.conf grep -q '^alias net-pf-5 off' /etc/modprobe.conf || \ echo 'alias net-pf-5 off' >> /etc/modprobe.conf grep -q '^alias net-pf-9 off' /etc/modprobe.conf || \ echo 'alias net-pf-9 off' >> /etc/modprobe.conf grep -q '^alias net-pf-10 off' /etc/modprobe.conf || \ echo 'alias net-pf-10 off' >> /etc/modprobe.conf grep -q '^alias net-pf-23 off' /etc/modprobe.conf || \ echo 'alias net-pf-23 off' >> /etc/modprobe.conf grep -q '^alias net-pf-24 off' /etc/modprobe.conf || \ echo 'alias net-pf-24 off' >> /etc/modprobe.conf grep -q '^alias net-pf-31 off' /etc/modprobe.conf || \ echo 'alias net-pf-31 off' >> /etc/modprobe.conf
Best Regards Marcus
On Fri, Aug 14, 2009 at 8:15 AM, Akemi Yagiamyagi@gmail.com wrote:
Upstream bugzilla to follow:
Just a note to say that the issue is also being tracked in the CentOS forums:
http://www.centos.org/modules/newbb/viewtopic.php?topic_id=21740&forum=4...
So, if you have additional info, I would appreciate your posting it there as well.
Akemi
There is a very large issue with all people running VPS machines that are waiting for upgrades.
On Fri, Aug 14, 2009 at 2:44 PM, Akemi Yagi amyagi@gmail.com wrote:
On Fri, Aug 14, 2009 at 8:15 AM, Akemi Yagiamyagi@gmail.com wrote:
Upstream bugzilla to follow:
Just a note to say that the issue is also being tracked in the CentOS forums:
http://www.centos.org/modules/newbb/viewtopic.php?topic_id=21740&forum=4...
So, if you have additional info, I would appreciate your posting it there as well.
Akemi _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
There is a very large issue with all people running VPS machines that are waiting for upgrades.
Why are VPS's any more affected than bare-metal machines?
It will be greatly ironic if Redhat release the fix after they release 5.4, or as part of 5.4. I will try not to say I told you so.
James Matthews ha scritto:
There is a very large issue with all people running VPS machines that are waiting for upgrades.
Looks like, at least for openvz, virtualized machines are safe
-
Akemi Yagi -
Ian Murray -
James Matthews -
Johnny Hughes -
Kai Schaetzl -
Lorenzo Quatrini -
Marcus Moeller -
Peter Kjellstrom -
Radu Radutiu