14-05-2013, 23:12 #1
Kernel privilege escalation exploitable bug has been discovered in Centos/RedHat Linu
Recebi um e-mail histérico do provedor, que tirou os servidores do ar em seguida. A quem interessar, a vulnerabilidade está descrita no link abaixo.
Reported: 2013-05-14 09:01 EDT by Petr Matousek
Platform: All Linux
Última edição por 5ms; 14-05-2013 às 23:24.
14-05-2013, 23:37 #2
- Data de Ingresso
- Sep 2010
pelas barbas do profeta, não podemos ter 1 dia de paz
15-05-2013, 00:55 #3
Deve ter alguma coisa a ver:
This is in regards to your server, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX meus 4 mil servidores lá XD .
Due to a newly published 0-day kernel exploit, we need to reboot your server to perform an emergency kernel update. This update will provide a patch for the issue in question. Were someone take advantage of this exploit, a local user would be able to get root access to your server. As such, we consider this very critical to fix quicky.
Your server will be rebooted Tuesday, May 14th, 2013 between the hours of 9:00PM and 05:00AM CDT (02:00 - 10:00GMT)). The actual downtime will be roughly 15 minutes.
We deeply apologize for the short notice, but we feel that this vulnerability needs to be addressed immediately to prevent server compromises. If you have any questions or concerns, please feel free to open a helpdesk ticket or email email@example.com
15-05-2013, 01:13 #4
O provedor histérico disse que nodes com virtualização OpenVZ são criticos. XEN supostamente apresenta risco menor, e KVM não sabe dizer ainda.
No momento estou com 2 VPS fora do ar, um XEN e outro KVM, de outros provedores, que sequer avisaram a "manutenção de emergência", se é que não foram dominados pelo lado negro da Força
PS: Voltou um deles (XEN) e saiu mais um (KVM). Os provedores não estão tendo a decência (ou sangue-frio?) de avisar. Pânico?
Última edição por 5ms; 15-05-2013 às 01:23.
15-05-2013, 07:55 #5
Posição final do provedor histérico:
We have completed our emergency maintenance to fix a critical security flaw in the Linux kernel on OpenVZ servers.
As said before, Xen server nodes are not affected and KVM ones, while they do have this problem, it is not exploitable. If we will patch it later, there will be a notice before hand, but at this time it is not urgent.
Please remember to update your KVM and Xen VPSes which use vulnerable kernels. Even if your OS is not vulnerable, please try to update it every time you have the opportunity.
16-05-2013, 11:19 #6
Critical Linux vulnerability imperils users, even after “silent” fixFor more than two years, the Linux operating system has contained a high-severity vulnerability that gives untrusted users with restricted accounts nearly unfettered "root" access over machines, including servers running in shared Web hosting facilities and other sensitive environments. Surprisingly, most users remain wide open even now, more than a month after maintainers of the open-source OS quietly released an update that patched the gaping hole.
The severity of the bug, which resides in the Linux kernel's "perf," or performance counters subsystem, didn't become clear until Tuesday, when attack code exploiting the vulnerability became publicly available. The new script can be used to take control of servers operated by many shared Web hosting providers, where dozens or hundreds of people have unprivileged accounts on the same machine. Hackers who already have limited control over a Linux machine—for instance, by exploiting a vulnerability in a desktop browser or a Web application—can also use the bug to escalate their privileges to root. The flaw affects versions of the Linux kernel from 2.6.37 to 3.8.8 that have been compiled with the CONFIG_PERF_EVENTS kernel configuration option.
"Because there's a public exploit already available, an attacker would simply need to download and run this exploit on a target machine," Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars in an e-mail. "The exploit may not work out-of-the-box on every affected machine, in which case it would require some fairly straightforward tweaks (for someone with exploit development experience) to work properly."
The fix to the Linux kernel was published last month. Its documentation did not mention that the code patched a critical vulnerability that could jeopardize the security of organizations running Linux in highly sensitive environments. This lack of security advisories has been standard practice for years among Linus Torvalds and other developers of the Linux kernel—and has occasionally been the subject of intense criticism from some in security circles.
Now that a fix is available in the kernel, it will be folded into all of the affected stable kernel releases offered by kernel.org, which maintains the Linux core code. Individual distributions are expected to apply the fix to their kernels and publish security updates in the coming days.
Additional details of the bug are available here, here, here, and here. People running vulnerable machines with untrusted user accounts should check with their distributors to find out when a patch will be available and what steps can be taken in the meantime. One user of a Red Hat Linux distribution posted temporary mitigation steps here, although at time of writing, Ars was unable to confirm that they worked. Readers are encouraged to post other mitigation advice in comments.
16-05-2013, 12:14 #7
- Data de Ingresso
- Sep 2010
já saiu update para CentOS?
16-05-2013, 12:44 #8
17-05-2013, 13:39 #9
- Data de Ingresso
- Nov 2010
Saiu hoje a atualização para o kernel do CentOS no XEN.
17-05-2013, 13:48 #10
Recebi essa madrugada da syslint:
There was a kernel exploit found recently on the linux kernel and a fix for this exploit has already released by the kernel vendors.
Impact : It is a local privilege escalation vulnerability
Affected by the RHEL6/Centos6/Openvz etc,. Kernels . It is not affected in centos 5 series kernel.
Read more about this vulnerability from the following links,
Updates are already available for this kernels .
You may need to upgrade the kernel to 2.6.32-358.6.2 in Centos6/RHEL6 servers and if you are running openvz kenrel please update to 2.6.32-042stab076.8 or higher.