Patch your kernels dammit

w1z4rd · Sep 21, 2010

"Running 64-bit Linux? Haven't updated yet? You're probably being rooted as I type this. CVE-2010-3081, this week's second high-profile local root exploit in the Linux kernel, is compromising machines left and right. Almost all 64-bit machines are affected, and 'Ac1db1tch3z' (classy) published code to let any local user get a root shell. Ac1db1tch3z's exploit is more malicious than usual because it leaves a backdoor behind for itself to exploit later even if the hole is patched. Luckily, there's a tool you can run to see if you've already been exploited, courtesy of security company Ksplice, which beat most of the Linux vendors with a 'rebootless' version of the patch."

http://linux.slashdot.org/story/10/09/20/0217204/Linux-Kernel-Exploit-Busily-Rooting-64-Bit-Machines

I updated all my kernels yesterday, but I can see a lot of people not updating. This is a pretty serious flaw.

Had a long day yesterday, spent the day sorting out the gAySP vulnerability and updating kernels. Loads of issues :/

MyWorld · Sep 21, 2010

Information is very sketchy on which kernel is vulnerable,

This vulnerability was introduced into the Linux kernel in April 2008, and so essentially every distribution is affected, including RHEL, CentOS, Debian, Ubuntu, Parallels Virtuozzo Containers, OpenVZ, CloudLinux, and SuSE, among others. A few vendors have released kernels that fix the vulnerability if you reboot, but other vendors, including Red Hat, are still working on releasing an updated kernel.

The only way to know if your kernel is patched is to run the following script from ksplice:

Code:

wget -N https://www.ksplice.com/support/diagnose-2010-3081
chmod +x diagnose-2010-3081
./diagnose-2010-3081

If you kernel is patched you will get this message:

Code:

Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)

$$$ Kernel release: 2.6.35-ARCH
!!! Could not find symbol: per_cpu__current_task

A symbol required by the published exploit for CVE-2010-3081 is not
provided by your kernel.  The exploit would not work on your system.

If you are infected, then you need to read up on the ksplice site:
https://www.ksplice.com/uptrack/cve-2010-3081.ssi.xhtml

w1z4rd · Sep 21, 2010

yum install kernel <-- worked for me

w1z4rd · Sep 21, 2010

MyWorld said:
Information is very sketchy on which kernel is vulnerable,

The only way to know if your kernel is patched is to run the following script from ksplice:

Code:

wget -N https://www.ksplice.com/support/diagnose-2010-3081 chmod +x diagnose-2010-3081 ./diagnose-2010-3081

If you kernel is patched you will get this message:

Code:

Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) $$$ Kernel release: 2.6.35-ARCH !!! Could not find symbol: per_cpu__current_task A symbol required by the published exploit for CVE-2010-3081 is not provided by your kernel. The exploit would not work on your system.

If you are infected, then you need to read up on the ksplice site:
https://www.ksplice.com/uptrack/cve-2010-3081.ssi.xhtml

Ran that script my result looked nothing like yours:

Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)

$$$ Kernel release: 2.6.18-194.11.3.el5
$$$ Backdoor in LSM (1/3): checking...not present.
$$$ Backdoor in timer_list_fops (2/3): not available.
$$$ Backdoor in IDT (3/3): checking...not present.

Your system is free from the backdoors that would be left in memory
by the published exploit for CVE-2010-3081.

MyWorld · Sep 21, 2010

Sorry yes, I should have done a bit more reading, the Arch kernel do not have "per_cpu__current_task" set, therefore the message that the exploit will not work on any Arch kernel release AFAIK.

Your output however is the correct more common output showing that you are not infected and now you can go ahead and update the kernel.

milomak · Sep 21, 2010

oh dear. must go home and update

ponder · Sep 21, 2010

pacman -Syu

koffiejunkie · Sep 21, 2010

w1z4rd said:
yum install kernel <-- worked for me

I wish it was that easy where I work - we have A LOT of servers to patch

w1z4rd · Sep 21, 2010

MyWorld said:
Sorry yes, I should have done a bit more reading, the Arch kernel do not have "per_cpu__current_task" set, therefore the message that the exploit will not work on any Arch kernel release AFAIK.

Your output however is the correct more common output showing that you are not infected and now you can go ahead and update the kernel.

Did it last night.

koffiejunkie said:
I wish it was that easy where I work - we have A LOT of servers to patch

Ouch

koffiejunkie · Sep 21, 2010

w1z4rd said:
Ouch

If you were wondering how many, let's just say the script we started this morning to log into each server and verify the running kernel version and things like SAN connectivity (which means it has to be done manually), is still running...

milomak · Sep 22, 2010

ponder said:
pacman -Syu

at least i know my arch install is safe.

on debian i am running liquorix and i believe they have had the patch applied for some time.

fedora will need a yum

ponder · Sep 22, 2010

koffiejunkie said:
If you were wondering how many, let's just say the script we started this morning to log into each server and verify the running kernel ...

Should you not know all that already without having to run a script. Surely in a big organisation everything should be audited & on record for quick access i order to make decisions etc

MyWorld · Sep 22, 2010

I think he means they need to run the script on every single machine to make sure the current running kernel is not vulnerable?

koffiejunkie · Sep 22, 2010

ponder said:
Should you not know all that already without having to run a script. Surely in a big organisation everything should be audited & on record for quick access i order to make decisions etc

No, it's not that simple. Our customers have root on their machines, so sometimes there are differences. Some people insist on compiling their own kernels or installing kernels from 3rd parties for whatever reason.

Anyway, looks like we'll be doing a 5-figure number of boxes in the next 24 hours - long day ahead...

hawker · Sep 25, 2010

koffiejunkie said:
No, it's not that simple. Our customers have root on their machines, so sometimes there are differences. Some people insist on compiling their own kernels or installing kernels from 3rd parties for whatever reason.

Anyway, looks like we'll be doing a 5-figure number of boxes in the next 24 hours - long day ahead...

Good luck man!

Just keeping my 3 PC's in order is a bit of a mission sometimes

What versions of *nix are your customers running?

The_Unbeliever · Sep 25, 2010

Bah. Luckily we're not running any 64bit kernels yet. Sucks this does.

Patch your kernels dammit

w1z4rd

Karmic Sangoma

MyWorld

Executive Member

w1z4rd

Karmic Sangoma

w1z4rd

Karmic Sangoma

MyWorld

Executive Member

milomak

Honorary Master

ponder

Honorary Master

koffiejunkie

Executive Member

w1z4rd

Karmic Sangoma

koffiejunkie

Executive Member

milomak

Honorary Master

ponder

Honorary Master

MyWorld

Executive Member

koffiejunkie

Executive Member

hawker

Honorary Master

The_Unbeliever

Honorary Master