[CentOS] local root exploit

Mon Feb 11 20:43:33 UTC 2008
Ross S. W. Walker <rwalker at medallion.com>

Dag Wieers wrote:
> 
> On Mon, 11 Feb 2008, jarmo wrote:
> 
> > Scott McClanahan kirjoitti viestissään (lähetysaika 
> maanantai, 11. helmikuuta
> > 2008):
> > > On Mon, 2008-02-11 at 10:45 -0800, Akemi Yagi wrote:
> > > > On Feb 11, 2008 8:19 AM, Scott McClanahan 
> <scott.mcclanahan at trnswrks.com>
> > wrote:
> > > > > On Mon, 2008-02-11 at 04:52 -0800, Michael A. Peters wrote:
> > > > > > Valent Turkovic wrote:
> > > > > > > I saw that there is a local root exploit in the wild.
> > > > > > > 
> http://blog.kagesenshi.org/2008/02/local-root-exploit-on-wild.html
> > > > > > >
> > > > > > > And I see my centos box still has:  2.6.18-53.1.4.el5
> > > > > > >
> > > > > > > yum says there are no updates... am I safe?
> > > > > > >
> > > > > > > Valent.
> > > > > >
> > > > > > The current kernel is 53.1.6.el5
> > > > > >
> > > > > > If yum isn't seeing it - it probably needs to clean 
> its cached
> > > > > > headers.
> > > > > >
> > > > > > try:
> > > > > >
> > > > > > yum clean headers
> > > > > > yum update kernel
> > > > > >
> > > > > > However - the 53.1.6.el5 release also is 
> vulnerable, so you may as
> > > > > > well wait for the exploit to be fixed before 
> updating. I'm guessing
> > > > > > CentOS will do it fairly quickly after rhel does.
> > > > >
> > > > > I understand that a known root exploit must be 
> patched but I'm curious
> > > > > to know if we upgrade to the fixed kernel once 
> released will it also
> > > > > include the degraded nfs performance discussed here:
> > > > >
> > > > > https://bugzilla.redhat.com/show_bug.cgi?id=431092
> > > >
> > > > We have to wait and see, but my impression is that the 
> nfs fix would
> > > > not be in the updated kernel (I hope I am wrong).  They 
> are talking
> > > > about getting it into 5.2 (even possibly into 5.3).  I 
> can see that
> > > > this is a problem.  Now, we can not "stay with 53.1.4"  
> on the systems
> > > > where the local root exploit is a serious problem.
> > >
> > > Yes, until now we had no problem stalling on 53.1.4.  I 
> guess we'll have
> > > to test how badly the nfs performance degradation 
> actually is under a
> > > heavy load in our environment.
> >
> > Ofcource there's a way, get vanilla kernel 2.6.24.2 and use 
> old config
> > compile it and run. I've done it.
> 
> And *poof* you lost all support or reproducability that 
> people crave when
> using CentOS or RHEL.
> 
> So yes, it is a possibility, but probably unlikely when 
> people have chosen
> CentOS or RHEL. And especially for those systems that are considered
> production (or important) and that are the most vulnerable you may not
> want to do this. (Or maybe instead you need to !)

Yes, true, but say you are running a shell account system and want to
know it isn't vulnerable, can't wait until upstream provides a fix
and don't want to run some possibly flaky work-around patch, what
then?

I think one needs to weigh the consequences in these scenarios instead
of saying it should be all one way or the other.

-Ross

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.