Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> Zero day on CentOS, News of a zero day on 2.6.38 - 3.8.9
unkilbeeg
 Posted: May 14 2013, 07:00 PM
Quote Post


SLF Newbie


Group: Members
Posts: 2
Member No.: 2491
Joined: 14-May 13









There has apparently been a zero day released to which kernels 2.6.38 - 3.8.9 are vulnerable. More to the point, that bug has been backported to CentOS 2.6.32 and thus CentOS is also vulnerable.

It's a privilege escalation bug.

Is Scientific Linux also at risk?
PM
^
tux99
 Posted: May 14 2013, 08:44 PM
Quote Post


SLF Moderator
********

Group: Moderators
Posts: 1273
Member No.: 224
Joined: 28-May 11









Yes, since SL is 99.9% compatible with RHEL and Centos I expect that it's affected, too.

That said it's only a local exploit so on most systems it's not critical, it's only critical on multi-user systems where untrusted users have shell access or are able to run commands in some other way.

Here is the related RHEL bug-report:
https://bugzilla.redhat.com/show_bug.cgi?id=962792


--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
redman
 Posted: May 15 2013, 08:40 AM
Quote Post


Retired SLF Administrator
********

Group: Admins
Posts: 1276
Member No.: 2
Joined: 8-April 11









QUOTE (tux99 @ May 14 2013, 10:44 PM)
... where untrusted users have shell access or are able to run commands in some other way.

Regardless of what exploit, any system where non-admins have shell access is bad.
Indeed as tux99 said, nothing to worry about on single-user systems at home wink.gif

--------------------
"Sometimes the best helping hand you can give is a good, firm push."
PM
^
unkilbeeg
 Posted: May 15 2013, 08:09 PM
Quote Post


SLF Newbie


Group: Members
Posts: 2
Member No.: 2491
Joined: 14-May 13









QUOTE (redman @ May 15 2013, 12:40 AM)
QUOTE (tux99 @ May 14 2013, 10:44 PM)
... where untrusted users have shell access or are able to run commands in some other way.

Regardless of what exploit, any system where non-admins have shell access is bad.
Indeed as tux99 said, nothing to worry about on single-user systems at home wink.gif


Well, for better or for worse, I have a couple of SL6 systems that students have accounts on. Can't really kick them off -- the purpose for those machines is for students to have accounts on them.

It's a small number of students, no more than a dozen or so. My main server has hundreds, but it's an old enough Debian that this exploit, anyway, isn't a risk.
PM
^
joka
 Posted: May 15 2013, 09:33 PM
Quote Post


SLF Geek
****

Group: Members
Posts: 172
Member No.: 107
Joined: 28-April 11









QUOTE (unkilbeeg @ May 14 2013, 08:00 PM)
There has apparently been a zero day released to which kernels 2.6.38 - 3.8.9 are vulnerable.  More to the point, that bug has been backported to CentOS 2.6.32 and thus CentOS is also vulnerable.

It's a privilege escalation bug.

Is Scientific Linux also at risk?

Yes of cause. You have pointed to the exploit, its very simple to try it out.
On my system the exploit is working.

The discussion in the CentOS forum points to some quick workarounds.

I.M.H.O these kind of kernel bugs are the most critical ones because the exploit can bypass any security mechanism (DAC and MAC/SELinux). In combination to potential other vulnerabilities (e.g. browser, web server, CMS) this opens the system to any attacker who could install any malware, including rootkits.
PM
^
toracat
 Posted: May 16 2013, 07:26 AM
Quote Post


SLF Geek
****

Group: Members
Posts: 300
Member No.: 11
Joined: 10-April 11









QUOTE

The  discussion in the CentOS forum points to some quick workarounds.

I.M.H.O these kind of kernel bugs are the most critical ones because the exploit can bypass any security mechanism (DAC and MAC/SELinux). In combination to potential other vulnerabilities (e.g. browser, web server, CMS) this opens the system to any attacker who could install any malware, including rootkits.

As referenced in that CentOS forum thread, ELRepo's kmod-tpe effectively blocks the known exploit. A short description of the kmod-tpe kernel module is:

QUOTE

This package provides the tpe kernel module. Trusted Path Execution (TPE) is a security feature that denies users from executing programs that are not owned by root, or are writable. This closes the door on a whole category of exploits where a malicious user tries to execute his or her own code to hack the system. Since this kernel module does not use any kind of ACLs, it works out of the box with no configuration.

--------------------
ELRepo: repository specializing in hardware support for EL
PMUsers Website
^
tux99
 Posted: May 16 2013, 05:05 PM
Quote Post


SLF Moderator
********

Group: Moderators
Posts: 1273
Member No.: 224
Joined: 28-May 11









Redhat has released the fixed kernel package (kernel-2.6.32-358.6.2.el6):
https://rhn.redhat.com/errata/RHSA-2013-0830.html

I guess Centos and SL will follow very soon.

--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
joka
 Posted: May 16 2013, 08:07 PM
Quote Post


SLF Geek
****

Group: Members
Posts: 172
Member No.: 107
Joined: 28-April 11









QUOTE (tux99 @ May 16 2013, 06:05 PM)
Redhat has released the fixed kernel package (kernel-2.6.32-358.6.2.el6):
https://rhn.redhat.com/errata/RHSA-2013-0830.html

I guess Centos and SL will follow very soon.

1 minute after your post (18:06) SL has released the kernel update.
It is already installed on my Macbook rolleyes.gif
PM
^
redman
 Posted: May 17 2013, 10:42 AM
Quote Post


Retired SLF Administrator
********

Group: Admins
Posts: 1276
Member No.: 2
Joined: 8-April 11









QUOTE (unkilbeeg @ May 15 2013, 10:09 PM)
Well, for better or for worse, I have a couple of SL6 systems that students have accounts on.  Can't really kick them off -- the purpose for those machines is for students to have accounts on them.

Your situation is an exception of course wink.gif

--------------------
"Sometimes the best helping hand you can give is a good, firm push."
PM
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll