Hello,

IF

you have a dedicated server

AND

it uses Linux

AND

it is 64-bit

THEN

your server is hackable !!!

You NEED to update it!! Do not wait!!!

The exploit providing the root is publicly available.

What to do?
------------
You must update the kernel of your server.

How ?
---------
- if you are in "total security":
You have received an email planning a reboot of the server, you have nothing to do

- If you are in "netboot" / RPS / Cloud:
just reboot your server.

- If you're "Manual kernel":
you have the new kernels on
ftp://ftp.ovh.net/made-in-ovh/bzImage/
It is the bzImage-2.6.34.6-xxxx

- if you compile:
the sources on kernel.org are vulnerable. It must be patched. Only 2.6.36-RC4 is patched. (To be confirmed, we are quickly checking).

After setting up the kernel you should see this:
#*uname -a
Linux XXXXXXX 2.6.34.6-xxxx-std-ipv6-64 #3 SMP Fri Sep 17
^^^^^^^^

We must see 2.6.34.6.

PS. Now there is only one kernel (IPv4 + IPv6) called bzImage-xxxx-ipv6-xxxx

Detail:
-------

to obtain local root privileges just

A security fault (CVE-2010-3301) allowing the obtaining locally of root privileges to be (re)discovered for 32-bit emulation on the 64-bit systems.

All 64-bit kernels since 2.6.27 are vulnerable.

For history, the flaw had been fixed in 2007 in the 2.6.22.7 (CVE-2007-4573), but a decline occurred in 2008.

[explications and exploit: http://sota.gen.nz/compat2/]

All the best,
Octave

Hello
SI
you have a dedicated server
AND
it runs on Linux
AND
it is 64-bit
THEN
your server is hackable!

You NEED to update it! Do not wait!

The exploit, which provides the root is publicly
available.

What to do?
------------
Must update the kernel of your server.

How?
---------
- If you are in "total security":
you received an email from the Planning reboot
server, you have nothing to do

- If you are "netboot" / RPS / Cloud:
just reboot your server.

- If you're kernel Manual ":
you have the new kernels on
ftp://ftp.ovh.net/made-in-ovh/bzImage/
is the bzImage-2.6.34.6-xxxx

- If you compile:
on kernel.org sources are vulnerable. Must
patch. Only 2.6.36-RC4 is patched. (To be confirmed,
we were quickly checked).

After setting up the kernel you should see this:
Uname-a # *
XXXXXXX Linux 2.6.34.6-xxxx-std-ipv6-64 # 3 SMP Fri September 17
^^^^^^^^

We must see 2.6.34.6.

PS. Now there is only one nucleus (IPv4 IPv6)
named bzImage-xxxx-xxxx-ipv6

Details:
-------
A security vulnerability (CVE-2010-3301) to obtain
local root privilege has been (re) discovery
at the 32bit emulation on 64bit systems.

All 64bit kernels since 2.6.27 are vulnerable.

For history, the flaw had been fixed in 2007
2.6.22.7 (CVE-2007-4573), but a decline occurred
2008.

[Explanations and achievement: http://sota.gen.nz/compat2/]

Regards
Octave
That makes no sense can i have the proper translation

even though mine isn't linux a friend wants to know if it affects centos 5.5 users?

2.6.34-RC4 is NOT patched!
The fix was commited on September 14th, two days after -rc4 had been released.

this type of message should be posted in english at least on the english forum, let's try to refresh my school year french and understand if i might be ion trouble or not :\

So 32bit kernals are ok by the looks of it? Yes, yes, I still use 32bit... Bite me!

even though mine isn't linux a friend wants to know if it affects centos 5.5 users?

Any 64-bit kernel including and after 2.6.27 *and* those before 2.6.22. I'd definitely upgrade to the latest kernel, as it's quite easy to exploit this bug.

How do I update the kernal?

2.6.34-RC4 is NOT patched!
The fix was commited on September 14th, two days after -rc4 had been released.

Nice catch, you're right :D

For those who compile the kernel, you can patch the source yourself though: http://www.kernel.org/diff/diffview.cgi?file=/pub/linux/kernel//v2.6/snapshots/patch-2.6.36-rc4-git4.bz2;z=31

Hopefully OVH noticed this as well ;)

How do I update the kernal?

If you use one of OVH's distro's - with the exception of the virtualisation packages (ie., Proxmox, VMWare, etc) - then you can use the Netboot option to select one of OVH's updated kernels (Manager -> Dedicated Server -> Netboot) and then do a hard-reboot after making that change.

If i have proxmox, how to update the kernel?

The last time i tried to upgrade proxmox, i rendered my server unbootable :(

If i have proxmox, how to update the kernel?

The last time i tried to upgrade proxmox, i rendered my server unbootable :(

http://pve.proxmox.com/wiki/Proxmox_VE_Kernel#Kernel_2.6.35

the kernel 2.6.35 is patched?

the kernel 2.6.35 is patched?

Depends, the vulnerability was in 2.6.30 through to 2.6.36-rc8, but our netboot kernels have been patched so we recommend you use them.

Anyway, how this exploit works?
Without any user interaction "à la windows", or it needs an user or apache exploit to be run?

Anyway, how this exploit works?
Without any user interaction "à la windows", or it needs an user or apache exploit to be run?

I think it needs a user, but that user doesn't need to be privileged. Or a remote execution exploit will do it.

It's a serious enough vulnerability that you should update regardless.

the kernel 2.6.35 is patched?

Yes, this version used by proxmox is patched.
but it lacks openVZ support.
so only if you use KVM only its for you.

I tried that guide, but it looks like is going to upgrade to 1.6
Due to changes made by ovh on the softraid, i am scared to upgrade

Anyone tried?

I am running 1.6 with no issues.

You mean that you upgraded without any problems?

So if we're currently booting from a preinstalled GRS OVH kernel, from the harddrive, we can simply switch to a netboot kernel and carry on as normal? Or do we have to update the kernel on the server itself?

I'm a little confused, it sounds as if the servers can be booted from the network, so we don't have to worry about kernel updates? Is that right?

Yes, select a Netboot kernel and reboot is ok.

Thanks Fozl :)