According to this post (http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=221337&start=2001-10-15&end=2001-10-21) on Bugtraq, there are kernel security holes in 2.2.x kernels up to 2.2.19, and 2.4.x kernels up to 2.4.9.

The first problem is a local denial-of-service attack, caused by problems in the symlink-dereferencing kernel code. The second problem is local root hole via ptrace and setuid binaries.

Go patch those systems!

Great :(

How do we know which kernal what our dedicated servers have? The provider never told us what versions of kernal that are on the servers.

If your linux installation is more than a week old, it is vulnerable.

You can also type "uname -a" for the kernel version.

Originally posted by Synergy
How do we know which kernal what our dedicated servers have? The provider never told us what versions of kernal that are on the servers.

As a webhost, you should know this fact! ;)

type 'uname -a' on your shell ...

cheers,
:beer:

Originally posted by dektong


As a webhost, you should know this fact! ;)

type 'uname -a' on your shell ...

cheers,
:beer:

I agree. If you're a webhost and don't know your kernel version, then there's problems :)

I dont think he is tech savy as he forwards my requests and questions to matt...

Oivey! This sucks...:angry:

I know what I'm doing tonight...... :) Atleast, there aren't any shell accounts on the server aside from mine and root.

Originally posted by cperciva
According to this post (http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=221337&start=2001-10-15&end=2001-10-21) on Bugtraq, there are kernel security holes in 2.2.x kernels up to 2.2.19, and 2.4.x kernels up to 2.4.9.

The first problem is a local denial-of-service attack, caused by problems in the symlink-dereferencing kernel code. The second problem is local root hole via ptrace and setuid binaries.

Go patch those systems!

How can patch up the holes?

What distro of linux you running?

RedHat already has RPMs out if you use that.

*sigh*
i have to find a way to patch/prevent this....
If you goto http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=221337&start=2001-10-15&end=2001-10-21 they give you a link for insert_shellcode.c -- this is the exploit code you need to root the system.. Any 3 year old can do it...

I tested my system, and it works, if your a user, all you have to do is compile and type exec ./insert_shellcode

i run redhat 7.1 i JUST HAD MY SERVER re installed..... it is running kernel 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown

How can i patch this? I have never recompiled my kernel, i dont even want to do that, this is a dedicated server, if i screw something up it will be a real pain... There has to be an easy way out of this?

Could i goto http://www.kernel.org/pub/linux/kernel/v2.4/
and download http://www.kernel.org/pub/linux/kernel/v2.4/patch-2.4.12.gz ?

I pick 2.4.12 because it says....
2.4.10 fixed this problem, but not completely. Under 2.4.10 "head
l0" command would not block the scheduler, but it cannot be killed. The
problem is fully solved in 2.4.12.

when i download that patch-2.4.12.gz i gunzipped it... all it extracts is a file called patch-2.4.12 thats it

drwxrwxr-x 2 node node 4.0k Oct 20 00:02 .
drwx------ 24 node node 4.0k Oct 20 00:02 ..
-rw-rw-r-- 1 node node 161k Oct 10 23:59 patch-2.4.12

Am i even on the right path? Would i even be able to use this file? IF so, how? do i just run patch-2.4.12 < patch
or what..
Can anyone plz help? I never really had to do much with kernels... re compiling is a pain, and i just didnt want to bother.

If i am on the wrong track please direct me to the right path...

email: skream9@home.com
AIM: Skream9

Where can I find the redhat rpms for this patch? Can you list a location?

Thank you.

Hmmm, can we use the Red Hat Update Agent with a cpanel/whm system?

Will cpanel break down?

Hi,

I have just signed up to the RHN through up2date.

During this process it detected my hardware but it asked me to select what software is installed. I was unsure of this and left everything selected.

I noticed this security hole a day or two ago and have only just upgraded to kernel 2.4.12 due to other problems. Does this mean I am covered from this hole?

Also if i run the up2date will this screw things up because i didnt select the software i have installed? Also does it have any implications as far as CPanel and WHM?

Your help is as always appreciated.

Originally posted by SuperDon
I noticed this security hole a day or two ago and have only just upgraded to kernel 2.4.12 due to other problems. Does this mean I am covered from this hole?


According to the original report, yes. Since then there have been sporadic reports of the exploit succeeding against 2.4.12 systems as well... at this point my advice would simply be to download the exploit and try it.

Originally posted by SuperDon
Hi,

I have just signed up to the RHN through up2date.

During this process it detected my hardware but it asked me to select what software is installed. I was unsure of this and left everything selected.

I noticed this security hole a day or two ago and have only just upgraded to kernel 2.4.12 due to other problems. Does this mean I am covered from this hole?

Also if i run the up2date will this screw things up because i didnt select the software i have installed? Also does it have any implications as far as CPanel and WHM?

Your help is as always appreciated.


I asked the same question but ok.
Did or did you not run up2date ?

Here is a snip from http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=221337&start=2001-10-15&end=2001-10-21


II. Root compromise by ptrace(3)
In order for this flaw to be exploitable, /usr/bin/newgrp must be
setuid root and world-executable.
Does this mean if you make /usr/bin/newgrp not world-executable that you are not vulnerable to the root exploit? Of course, you may need to put it back to world-executable, but in the mean time you could restrict it until you get the system patched and then set it back? Or perhaps make the file owned by an unpriviledged user, "nouser", or something?


Also, another good reason why Slack is better:


In order to exploit this kernel vulnerability, one needs a setuid
root binary which execs an user-defined binary (or a shell). Newgrp is
appropriate on most distributions. On default install of slackware it does
not work (the password fields in /etc/group are empty, and newgrp demands a
password). However, one can use "su" on this distribution. "su"
binary is compiled without PAM support on slackware, therefore it execs an
user shell.

Not all Linux distros are the same. :) Can't we just restrict su to execute only for users with the root group and be done with it?

Originally posted by allera
Does this mean if you make /usr/bin/newgrp not world-executable that you are not vulnerable to the root exploit?

No. newgrp was simply chosen as a convinient example of a suid program; the flaw is in the kernel and can theoretically be exploited with any suid program.

Well, I installed 2.2.19 last night...

Originally posted by JTY
Well, I installed 2.2.19 last night...

I hope you actually mean "I installed 2.2.19 plus those two patches last night..."

Where are the RPMs for this patch?

@ redhat

http://www.redhat.com/support/errata/RHSA-2001-129.html

Yes, it's a patched kernel.... I'm happy now.

To those that used up2date, did you run into any problems, ie. the docs mentioned something about lilo?

I just downloaded the RPMS myself and installed them... atleast then I know it was done right... :)

Originally posted by Dylan
To those that used up2date, did you run into any problems, ie. the docs mentioned something about lilo?

Yep - I completely stuffed it up :( From my server page at RHN I didn't find any info or links to info about needing to backup LILO, etc - In fact I'm just looking for that info now. But alas, it is too late - my server is down. Because I'm with pegasus but in equinix noc - jay has to go in and restore LILO. I can expect a nice big bill next month :bawling:

This will teach me to get a good night sleep, meditate, blow my nose, go to the toilet, and RTFM before I go messing with kernel updates again. :(

Originally posted by freakysid


Yep - I completely stuffed it up :( From my server page at RHN I didn't find any info or links to info about needing to backup LILO, etc - In fact I'm just looking for that info now. But alas, it is too late - my server is down. Because I'm with pegasus but in equinix noc - jay has to go in and restore LILO. I can expect a nice big bill next month :bawling:

This will teach me to get a good night sleep, meditate, blow my nose, go to the toilet, and RTFM before I go messing with kernel updates again. :( sorry to here that freakysid :(

hope it works out.. especially that bill :eek:

Thanks for letting us know. We were just about to do the update with up2date.

Glad I just caught your post. i hope everything will turn out ok for you.

Anyone knows how to do it right?

Hi,

My Problem is that I have Server with RH6.2 but the RPMs at RH-Site are for 7.1/7.2 !

Originally posted by Domenico
Thanks for letting us know. We were just about to do the update with up2date.

Glad I just caught your post. i hope everything will turn out ok for you.

Anyone knows how to do it right?

The last time I patched the kernel was by scheduling the task using the web page at RHN for my server. I guess that the backup and restoring of lilo.conf must have been automated as part of that action. (but for goodness sake don't take my word for this).

However, this time I chose to dl the rpms because I wanted to also apply the patch to openssh and a couple of others so thought it would be easier to just use the dl feature at rhn and install them manually. But, I should have rtfm first and realised that you must back up and restore lilo.conf, whatever, before you reboot. There are a few sources of info about this - probably should take a look around linuxdoc.org for more info.

But what if you only can do a REMOTE update?
How is the reboot and LILO change handled then?

Or can it only be done with the server next to you?

you can install the rpm version of the kernel
configure your lilo to use the new kernel
and reboott if your brave, its a very frustrating process if your not there in front of the server

Its best you have someone ready to go into the noc and fix it incase something goes wrong before u do it
that or have them do it

I am preparing to have one of the NOC's I colo at update the kernel on one of my servers with CPANEL installled. Do I need anything special recompiled in the kernel beforehand (such as ipchains, iptables, i.e. ....)??
Anyone have problems with Cpanel and the upgrade that I should watch out for?

Running RH 6.2 with 2.4.7
Thanks!
AH

I've heard a little about this, and I also know that the Linux kernal developers are trying to keep this really quiet, or so I read in a news article. I've never upgraded a Linux kernal before, what all is involved?

In case anyone hasn't update their systems yet, I thought I'd resurrect this thread to point out that the 2.2.20 kernel, which includes the necesary security fixes, has now been released. So if you were having trouble putting together the necessary patched source tree you can just install 2.2.20 instead.