Local/Remote Linux root exploit 2.6.37 to 3.8.8

Hello,

This is a VERY important security bug! Some spring cleaning is needed...
- you must update your server. If you're into the games, it's really essential.

On our side:
- Hosting is protected thanks to the GRS kernels. An update is in progress all the same, you never know...
- VPS Classic/Low Latency is mitigated and update is being prepared

On your side, it's up to you to update:
- VPS Cloud
- Servers
- VMs on Dedicated Cloud

Otherwise:
- Servers/VPS will now be delivered with the new kernel

Best wishes,

Octave

A root exploit has just been published.

While we have not been able to exploit this vulnerability on a GRSEC kernel, it could cause servers to crash under certain conditions.

We released the 3.8.13 kernel today. All OVH kernel distributions are now delivered with the latest Linux kernel.

If your server uses NetBoot, you can simply reboot it. If not, you can install the new kernel manually by clicking here:

[GRS] ftp://ftp.ovh.net/made-in-ovh/bzImag...xx-grs-ipv6-64
[STD] ftp://ftp.ovh.net/made-in-ovh/bzImag...xx-std-ipv6-64

Or for VMs:
[GRS] ftp://ftp.ovh.net/made-in-ovh/bzImag...ps-grs-ipv6-64
[STD] ftp://ftp.ovh.net/made-in-ovh/bzImag...ps-std-ipv6-64

In addition to fixing this loophole, the new kernel also brings improved performances, especially for the network.

Redhat RHEL 6.0 (but not 5.0) has also been affected:
https://bugzilla.redhat.com/show_bug.cgi?id=962792

All almost all distributions have this vulnerability.


*** Mitigation ***

The exploit is no longer functional after changing the kernel.perf_event_paranoid parameter:
# sysctl kernel.perf_event_paranoid=2

However, this does not correct the underlying vulnerability, thus rebooting the server onto the new kernel ASAP is highly recommended.