PDA

View Full Version : Urgent and Important: Security fault



oles@ovh.net
17-09-2010, 19:54
Hello,

IF

you have a dedicated server

AND

it uses Linux

AND

it is 64-bit

THEN

your server is hackable !!!

You NEED to update it!! Do not wait!!!

The exploit providing the root is publicly available.

What to do?
------------
You must update the kernel of your server.

How ?
---------
- if you are in "total security":
You have received an email planning a reboot of the server, you have nothing to do

- If you are in "netboot" / RPS / Cloud:
just reboot your server.

- If you're "Manual kernel":
you have the new kernels on
ftp://ftp.ovh.net/made-in-ovh/bzImage/
It is the bzImage-2.6.34.6-xxxx

- if you compile:
the sources on kernel.org are vulnerable. It must be patched. Only 2.6.36-RC4 is patched. (To be confirmed, we are quickly checking).

After setting up the kernel you should see this:
#*uname -a
Linux XXXXXXX 2.6.34.6-xxxx-std-ipv6-64 #3 SMP Fri Sep 17
^^^^^^^^

We must see 2.6.34.6.

PS. Now there is only one kernel (IPv4 + IPv6) called bzImage-xxxx-ipv6-xxxx

Detail:
-------

to obtain local root privileges just

A security fault (CVE-2010-3301) allowing the obtaining locally of root privileges to be (re)discovered for 32-bit emulation on the 64-bit systems.

All 64-bit kernels since 2.6.27 are vulnerable.

For history, the flaw had been fixed in 2007 in the 2.6.22.7 (CVE-2007-4573), but a decline occurred in 2008.

[explications and exploit: http://sota.gen.nz/compat2/]

All the best,
Octave

MicroChip123
17-09-2010, 20:03
Hello
SI
you have a dedicated server
AND
it runs on Linux
AND
it is 64-bit
THEN
your server is hackable!

You NEED to update it! Do not wait!

The exploit, which provides the root is publicly
available.

What to do?
------------
Must update the kernel of your server.

How?
---------
- If you are in "total security":
you received an email from the Planning reboot
server, you have nothing to do

- If you are "netboot" / RPS / Cloud:
just reboot your server.

- If you're kernel Manual ":
you have the new kernels on
ftp://ftp.ovh.net/made-in-ovh/bzImage/
is the bzImage-2.6.34.6-xxxx

- If you compile:
on kernel.org sources are vulnerable. Must
patch. Only 2.6.36-RC4 is patched. (To be confirmed,
we were quickly checked).

After setting up the kernel you should see this:
Uname-a # *
XXXXXXX Linux 2.6.34.6-xxxx-std-ipv6-64 # 3 SMP Fri September 17
^^^^^^^^

We must see 2.6.34.6.

PS. Now there is only one nucleus (IPv4 IPv6)
named bzImage-xxxx-xxxx-ipv6

Details:
-------
A security vulnerability (CVE-2010-3301) to obtain
local root privilege has been (re) discovery
at the 32bit emulation on 64bit systems.

All 64bit kernels since 2.6.27 are vulnerable.

For history, the flaw had been fixed in 2007
2.6.22.7 (CVE-2007-4573), but a decline occurred
2008.

[Explanations and achievement: http://sota.gen.nz/compat2/]

Regards
Octave
That makes no sense can i have the proper translation

raidensnake
17-09-2010, 21:28
even though mine isn't linux a friend wants to know if it affects centos 5.5 users?

slacker
17-09-2010, 21:41
2.6.34-RC4 is NOT patched!
The fix was commited on September 14th, two days after -rc4 had been released.

makno
17-09-2010, 22:11
this type of message should be posted in english at least on the english forum, let's try to refresh my school year french and understand if i might be ion trouble or not :\

LawsHosting
18-09-2010, 00:11
So 32bit kernals are ok by the looks of it? Yes, yes, I still use 32bit... Bite me!

Myatu
18-09-2010, 00:39
even though mine isn't linux a friend wants to know if it affects centos 5.5 users?

Any 64-bit kernel including and after 2.6.27 *and* those before 2.6.22. I'd definitely upgrade to the latest kernel, as it's quite easy to exploit this bug.

mks
18-09-2010, 01:58
How do I update the kernal?

Myatu
18-09-2010, 11:55
2.6.34-RC4 is NOT patched!
The fix was commited on September 14th, two days after -rc4 had been released.

Nice catch, you're right :D

For those who compile the kernel, you can patch the source yourself though: http://www.kernel.org/diff/diffview.cgi?file=/pub/linux/kernel//v2.6/snapshots/patch-2.6.36-rc4-git4.bz2;z=31

Hopefully OVH noticed this as well ;)

Myatu
18-09-2010, 11:57
How do I update the kernal?

If you use one of OVH's distro's - with the exception of the virtualisation packages (ie., Proxmox, VMWare, etc) - then you can use the Netboot option to select one of OVH's updated kernels (Manager -> Dedicated Server -> Netboot) and then do a hard-reboot after making that change.

Tipika
29-10-2010, 17:58
If i have proxmox, how to update the kernel?

The last time i tried to upgrade proxmox, i rendered my server unbootable :(

yonatan
30-10-2010, 02:13
If i have proxmox, how to update the kernel?

The last time i tried to upgrade proxmox, i rendered my server unbootable :(

http://pve.proxmox.com/wiki/Proxmox_VE_Kernel#Kernel_2.6.35

Tipika
02-11-2010, 09:32
the kernel 2.6.35 is patched?

Neil
02-11-2010, 10:47
the kernel 2.6.35 is patched?

Depends, the vulnerability was in 2.6.30 through to 2.6.36-rc8, but our netboot kernels have been patched so we recommend you use them.

Tipika
02-11-2010, 11:43
Anyway, how this exploit works?
Without any user interaction " la windows", or it needs an user or apache exploit to be run?

Razakel
02-11-2010, 12:16
Anyway, how this exploit works?
Without any user interaction " la windows", or it needs an user or apache exploit to be run?

I think it needs a user, but that user doesn't need to be privileged. Or a remote execution exploit will do it.

It's a serious enough vulnerability that you should update regardless.

yonatan
02-11-2010, 18:49
the kernel 2.6.35 is patched?

Yes, this version used by proxmox is patched.
but it lacks openVZ support.
so only if you use KVM only its for you.

Tipika
08-11-2010, 20:03
I tried that guide, but it looks like is going to upgrade to 1.6
Due to changes made by ovh on the softraid, i am scared to upgrade

Anyone tried?

yonatan
08-11-2010, 20:57
I am running 1.6 with no issues.

Tipika
08-11-2010, 23:47
You mean that you upgraded without any problems?

AdamD
16-11-2010, 11:45
So if we're currently booting from a preinstalled GRS OVH kernel, from the harddrive, we can simply switch to a netboot kernel and carry on as normal? Or do we have to update the kernel on the server itself?

I'm a little confused, it sounds as if the servers can be booted from the network, so we don't have to worry about kernel updates? Is that right?

fozl
16-11-2010, 12:43
Yes, select a Netboot kernel and reboot is ok.

AdamD
19-11-2010, 11:41
Thanks Fozl :)