RecentTags

Feeds
- Atom
- RSS2

Vanilla 1.1.8 is a product of Lussumo. More Information: Documentation, Community Support.

Heads Up: Kernel Vulnerability - Are We Safe?

Bottom of Page

1 to 20 of 30

- CommentAuthoratc-
- CommentTimeFeb 10th 2008
permalink
Link: http://www.securityfocus.com/bid/27704/info

Seems 2.6.16 and above are vulnerable, with 2.6.24.1 being safe. Are our slices affected? I've not had the chance to compile and run the exploit code on my server yet, so I'm kinda posting this blind...

Exploit example: http://downloads.securityfocus.com/vulnerabilities/exploits/27704.c
Thankful People: MindTooth, Ricardo
- CommentAuthorjason
- CommentTimeFeb 10th 2008
permalink
Neither exploit appears to work on either of the active kernels we are using. I don't believe that the versions listed as vulnerable are accurate. The patched code affects a function that was implemented in the 2.6.23 tree and according to the discussion thread on the kernel mailing list 2.6.22 and older kernels are not affected.
- CommentAuthormonzsca
- CommentTimeFeb 10th 2008
permalink
I just tried it on my slice and the exploit does not work.
- CommentAuthorcactus
- CommentTimeFeb 11th 2008
permalink
i read that it was 2.6.17 to current. Since slicehost uses 2.6.16, I believe it is safe (not certain though).
- CommentAuthorslamb
- CommentTimeFeb 11th 2008
permalink
Linux version numbers are a bit suspect because there are so many vendor kernels around. You never know what features they will backport. For example, NPTL was added in 2.6.x but I’ve run RedHat 2.4.x kernels that supported it.

However, on my slice (which claims to be 2.6.16.29-xen), vmsplice() returns -1 with errno set to ENOSYS, so it definitely does not have the affected syscall. Not vulnerable.
- CommentAuthorAlexExtreme
- CommentTimeFeb 11th 2008
permalink
Just ran it on my slice, CentOS 5.1, 2.6.16.29-xen. Doesn’t work, vmsplice returns ENOSYS, as slamb said. Interestingly enough it didn’t compile, seems there’s a bug in CentOS’ kernel headers package because asm-x86_64/page.h was empty, had to copy in definitions from asm-i386/page.h manually
- CommentAuthorjon
- CommentTimeFeb 12th 2008
permalink
The exploits doing the rounds are written with x86 specific code. My slice, at least, is amd64, so the thing being circulated will not work. That alone doesn't mean you aren't vulnerable.

My slice is a debian one with uname 2.6.18-xen. A vanilla 2.6.18 IS vulnerable- compare http://lxr.linux.no/linux+v2.6.18/fs/splice.c#L1141 against the patch that was committed to fix this - http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44
- CommentAuthorjason
- CommentTimeFeb 12th 2008 edited
permalink
Jon,

2.6.18 is vulnerable to CVE-2008-0600 it appears and not CVE-2008-0009/10. The official xen 2.6.18 branch had the patch incorporated yesterday and our 2.6.18 kernels are updated.

http://xenbits.xensource.com/linux-2.6.18-xen.hg?rev/08e85e79c65d
Thankful People: Ricardo
- CommentAuthorSchultz
- CommentTimeFeb 12th 2008
permalink
I am new to VPS hosting. Just wondering we just need to reboot our slice to get it to start using the patched kernel correct?
- CommentAuthorjason
- CommentTimeFeb 12th 2008 edited
permalink
You will need to restart to reload your kernel.

This is what you want to see

# cat /proc/version
Linux version 2.6.18-xen (root@sh-kern) (gcc version 4.0.3 (Ubuntu 4.0.3-1ubuntu5)) #1 SMP Tue Feb 12 06:40:50 UTC 2008

This is also ok-

# cat /proc/version
Linux version 2.6.16.29-xen (root@jason) (gcc version 3.4.6 (Ubuntu 3.4.6-1ubuntu2)) #1 SMP Sun Sep 30 04:00:13 UTC 2007
Thankful People: billturner, lex, damien, Gadget, The Fox, Schultz, Ricardo
- CommentAuthorllama
- CommentTimeFeb 12th 2008
permalink
Hi jason,

Just to be clear. If I see this:

# cat /proc/version
Linux version 2.6.16.29-xen (root@jason) (gcc version 3.4.6 (Ubuntu 3.4.6-1ubuntu2)) #1 SMP Sun Sep 30 04:00:13 UTC 2007

Do I still need to restart my slice?

thx.
- CommentAuthorSchultz
- CommentTimeFeb 12th 2008
permalink
Thanks Jason. First time i had to reboot my slice since i set it up. Funny had forgotten to add apache and mysql to my default run levels since i installed them all. Thanks again.
- CommentAuthorjason
- CommentTimeFeb 12th 2008
permalink
Llama,

No that version is fine.
Thankful People: billturner, llama
- CommentAuthorbhoggard
- CommentTimeFeb 13th 2008
permalink
Is this OK?

$ cat /proc/version
Linux version 2.6.18-xen (root@jason2) (gcc version 4.0.3 (Ubuntu 4.0.3-1ubuntu5)) #1 SMP Fri Nov 2 06:14:54 UTC 2007
- CommentAuthorjason
- CommentTimeFeb 13th 2008
permalink
bhoggard, no that is not one of the two listed in my prior post, if you reboot you should see a different version.
- CommentAuthoraQ
- CommentTimeFeb 13th 2008
permalink
I've rebooted twice, both hard and soft, but I still get this:
cat /proc/version
Linux version 2.6.18-xen (root@sh-kern) (gcc version 4.0.3 (Ubuntu 4.0.3-1ubuntu5)) #1 SMP Tue Feb 12 06:40:50 UTC 2008

I also tried to update & upgrade, but it's still the same.
- CommentAuthorjason
- CommentTimeFeb 13th 2008
permalink
aQ, that is the updated version.
Thankful People: aQ
- CommentAuthorartagesw
- CommentTimeFeb 13th 2008
permalink
So, I have this:

Linux www1 2.6.16.29-xen #1 SMP Sun Sep 30 04:00:13 UTC 2007 x86_64 x86_64 x86_64 GNU/Linux

No change after reboot. Am I OK?
- CommentAuthoraQ
- CommentTimeFeb 13th 2008
permalink
Aha, thanks, Jason... I'm sorry.
- CommentAuthorGadget
- CommentTimeFeb 13th 2008 edited
permalink
Just noting that these are "local" exploits which rely on someone in userland having access to the compilers. My users don't get to see such things! Besides, all the example code stopped cold on exec with segmentation faults, well before privilege escalation was attained. But still, one never knows. My Ubuntu Slice (2.6.18) has been given a swift reboot in the butt and all is well once again in Sliceland! Thanks for your diligence, Jason!

1 to 20 of 30

Slicehost Forum

Discussion Tags

RecentTags

Feeds

Heads Up: Kernel Vulnerability - Are We Safe?