WARN: kernel local vuln.: upgrade to 2.4.23 or 2.6.0-test6
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
From http://isec.pl/vulnerabilities/isec-0012-do_brk.txt :
Successful exploitation of do_brk() leads to full compromise of vulnerable system, including gaining full uid 0 privileges, possibility of kernel code and data structures modification as well as kernel-level (ring0) code execution. Tested and successfully exploited kernel versions include:
2.4.20-18.9 as shipped with RedHat 9.0, 2.4.22 (vanila), 2.4.22 with grsecurity patch
There is no known reliable workaround for this vulnerability except. We recommend upgrading to the most recent kernel version (so far the 2.4.23 kernel) on all vulnerable systems.
In case anybody is interested: here is a more detailed description on what happened - i found it quite interesting to read: http://kerneltrap.org/node/view/1717
Distribution: Fedora, Debian, OpenSuSE and Android
Posts: 1,820
Rep:
What I don't get is if we are supposed to upgrade the kernel past the 2.4.23 build, why is RedHat releasing new kernel rpms based on the 2.4.20-24 kernel? Should I go with the RedHat RPMs (all my RH machines are production machines) or compile the 2.4.23 kernel from http://www.kernel.org ?
Originally posted by Pcghost What I don't get is if we are supposed to upgrade the kernel past the 2.4.23 build, why is RedHat releasing new kernel rpms based on the 2.4.20-24 kernel? Should I go with the RedHat RPMs (all my RH machines are production machines) or compile the 2.4.23 kernel from http://www.kernel.org ?
I just want to add, that the fix for this problem is really a 2-liner:
Gentoo's server got compromised because of the same vulnerability. I assume there will be a target search in the next time. Secure your boxes, configure AIDE & more...
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
It may have already been compromised and they just now discovered it. You have to think that the same people who compromised Debian were running wild all over the place since no one knew about it.
I just hope you're right - but shouldn't one discover it more or less instantly? If any file gets altered, you should get a warning - may be the Gentoo servers didn't have such a tight security than the Debian ones...
Debian used AIDE on 2 servers for monitoring filesystem changes. Well regarding details you may take a look at http://isec.pl/papers/linux_kernel_do_brk.pdf, like outlined in VulnWatch.
Now these are the actual changes - the '+' in front means, that these lines are added, a '-' is used, if you want to remove some code within a patch. You see, that this code checks if addr+len isn't larger than TASK_SIZE or smaller than addr. Without this check, the kernel would be vulnerable.
Code:
/*
* mlock MCL_FUTURE?
*
Don't know what this is good for - may be to make locating the place to insert the code even easier. I don't know - i'm not an expert
Don't know what this is good for - may be to make locating the place to insert the code even easier. I don't know - i'm not an expert
Hope this clears things up
It's basically there as a failsafe in case other lines have been inserted above those since the diff was made. So, if the patch program can't apply the diff at the right line numbers, it looks for a place which fits with the 'context' lines given.
Back on topic, the 2.4.20-gentoo-r9 kernel has fixes this. (gentoo-sources-2.4.20-r9 package)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.