Urgent and Important: Security fault

Thanks Fozl

Yes, select a Netboot kernel and reboot is ok.

So if we're currently booting from a preinstalled GRS OVH kernel, from the harddrive, we can simply switch to a netboot kernel and carry on as normal? Or do we have to update the kernel on the server itself?

I'm a little confused, it sounds as if the servers can be booted from the network, so we don't have to worry about kernel updates? Is that right?

You mean that you upgraded without any problems?

I am running 1.6 with no issues.

I tried that guide, but it looks like is going to upgrade to 1.6
Due to changes made by ovh on the softraid, i am scared to upgrade

Anyone tried?

Yes, this version used by proxmox is patched.
but it lacks openVZ support.
so only if you use KVM only its for you.

I think it needs a user, but that user doesn't need to be privileged. Or a remote execution exploit will do it.

It's a serious enough vulnerability that you should update regardless.

Anyway, how this exploit works?
Without any user interaction "à la windows", or it needs an user or apache exploit to be run?

Depends, the vulnerability was in 2.6.30 through to 2.6.36-rc8, but our netboot kernels have been patched so we recommend you use them.

the kernel 2.6.35 is patched?

If i have proxmox, how to update the kernel?

The last time i tried to upgrade proxmox, i rendered my server unbootable

If you use one of OVH's distro's - with the exception of the virtualisation packages (ie., Proxmox, VMWare, etc) - then you can use the Netboot option to select one of OVH's updated kernels (Manager -> Dedicated Server -> Netboot) and then do a hard-reboot after making that change.

Nice catch, you're right

For those who compile the kernel, you can patch the source yourself though: http://www.kernel.org/diff/diffview....-git4.bz2;z=31

Hopefully OVH noticed this as well

How do I update the kernal?

Any 64-bit kernel including and after 2.6.27 *and* those before 2.6.22. I'd definitely upgrade to the latest kernel, as it's quite easy to exploit this bug.

So 32bit kernals are ok by the looks of it? Yes, yes, I still use 32bit... Bite me!

this type of message should be posted in english at least on the english forum, let's try to refresh my school year french and understand if i might be ion trouble or not :\

2.6.34-RC4 is NOT patched!
The fix was commited on September 14th, two days after -rc4 had been released.

even though mine isn't linux a friend wants to know if it affects centos 5.5 users?

That makes no sense can i have the proper translation

Hello,

IF

you have a dedicated server

AND

it uses Linux

AND

it is 64-bit

THEN

your server is hackable !!!

You NEED to update it!! Do not wait!!!

The exploit providing the root is publicly available.

What to do?
------------
You must update the kernel of your server.

How ?
---------
- if you are in "total security":
You have received an email planning a reboot of the server, you have nothing to do

- If you are in "netboot" / RPS / Cloud:
just reboot your server.

- If you're "Manual kernel":
you have the new kernels on
ftp://ftp.ovh.net/made-in-ovh/bzImage/
It is the bzImage-2.6.34.6-xxxx

- if you compile:
the sources on kernel.org are vulnerable. It must be patched. Only 2.6.36-RC4 is patched. (To be confirmed, we are quickly checking).

After setting up the kernel you should see this:
#*uname -a
Linux XXXXXXX 2.6.34.6-xxxx-std-ipv6-64 #3 SMP Fri Sep 17
^^^^^^^^

We must see 2.6.34.6.

PS. Now there is only one kernel (IPv4 + IPv6) called bzImage-xxxx-ipv6-xxxx

Detail:
-------

to obtain local root privileges just

A security fault (CVE-2010-3301) allowing the obtaining locally of root privileges to be (re)discovered for 32-bit emulation on the 64-bit systems.

All 64-bit kernels since 2.6.27 are vulnerable.

For history, the flaw had been fixed in 2007 in the 2.6.22.7 (CVE-2007-4573), but a decline occurred in 2008.

[explications and exploit: http://sota.gen.nz/compat2/]

All the best,
Octave