Posted on 09/21/2010 9:20:58 AM PDT by Ernest_at_the_Beach
*********************************************
This vulnerability was introduced into the Linux kernel in April 2008, and so essentially every distribution is affected, including RHEL, CentOS, Debian, Ubuntu, Parallels Virtuozzo Containers, OpenVZ, CloudLinux, and SuSE, among others. A few vendors have released kernels that fix the vulnerability if you reboot, but other vendors, including Red Hat, are still working on releasing an updated kernel.
Typo—— link to HardOCP
Description of problem: A vulnerability in the 32-bit compatibility layer for 64-bit systems was reported. It is caused by insecure allocation of user space memory when translating system call inputs to 64-bit. A stack pointer underflow can occur when using the "compat_alloc_user_space" method with an arbitrary length input. Reference: http://sota.gen.nz/compat1/ Upstream commit: http://git.kernel.org/linus/c41d68a513c71e35a14f66d71782d27a79a81ea6 Acknowledgements: Red Hat would like to thank Ben Hawkes for reporting this issue.
Exploit: http://seclists.org/fulldisclosure/2010/Sep/268
Although it might seem self-serving, I do know of one sure way to fix this vulnerability right away on running production systems, and it doesn’t even require you to reboot: you can (for free) download Ksplice Uptrack and fully update any of the distributions that we support (We support RHEL, CentOS, Debian, Ubuntu, Parallels Virtuozzo Containers, OpenVZ, and CloudLinux. For high profile updates like this one, Ksplice optionally makes available an update for your distribution before your distribution officially releases a new kernel). We provide a free 30-day trial of Ksplice Uptrack on our website, and you can use this free trial to protect your systems, even if you cannot arrange to reboot anytime soon. It’s the best that we can do to help in this situation, and I hope that it’s useful to you.
But wait, there's more!
Oh Noes! Everyone abandon Linux and go to macs! (/Applephile)
For me, CP/M is the way to go. NO ONE has written a virus for that O/S...
Already got the Update Manager alerts for my Ubuntu and Fedora machines. I believe I hear our NIX team over there bellyaching, but that’s par for the course.
Forget “Patch Tuesdays” from MS. When a problem really needs to be fixed, count on the open source community!
This is a LOCAL exploit. The attack must be launched by an authenticated user that is already logged on.
Unless you are granting shell command access to users, a Linux server is not vulnerable to a remote attack.
If you are using Linux on your desktop, just be aware of what you download and run on your desktop (the same advice I'd give to Windows users)
public exploit: http://seclists.org/fulldisclosure/2010/Sep/268
Statement: More information can be found in this kbase: https://access.redhat.com/kb/docs/DOC-40265.
A workaround for this issue is to run this command echo ':32bits:M:0:\x7fELF\x01::/bin/echo:' > /proc/sys/fs/binfmt_misc/register It disable 32-bit ELF support. The workaround was written by Terje Malmedal. [Source: http://seclists.org/fulldisclosure/2010/Sep/273]
(In reply to comment #13) > [Source: http://seclists.org/fulldisclosure/2010/Sep/273] One report suggests this won't always work: http://www.h-online.com/open/news/forum/S-workaround-DOES-NOT-PREVENT-EXPLOIT/forum-116020/msg-14370942/read/
The 'robert_you_suck' exploit mentioned in the post Mike cites is an exploit for CVE-2010-3080, which is a distinct issue discovered at the same time as this issue. RHEL 5 is not affected by that issue.
Well....that changes everything....thanks.
That might be true for desktops, but for Linux servers running any kind of PHP or CGI, all it takes is a hole in the code and you’re rooted.
And if you use a hosting provider who uses a paravirtualized environment like Slicehost or some of the other VPS hosts, I’ve heard that patches are not available yet.
PIP B:*.* = A:
Linux Kernel Exploit Wreaking Havoc
The usual snarky comments from the Gamers....but this was of interest.
************************************EXCERPT************************************
Dragoniz3rn00bie, 2.1 Years
 |
|
Nothing to see here.
This has been tremendously overblown by ksplice in the interest of furthering the sales of their product. It's a local exploit, which means the attacker has to already be logged in to your box. It's not a remote exploit.
Oh, and by the way, after looking for the source code for their "detection tool", there is no way in hell I'm running it. It's copy+paste of the original exploit code, and there are some things in it that are very very difficult to verify the safety of (like embedded machine code) |
Flip that dirty old bit.
************************************EXCERPT****************************************
Today, 08:41 AM
|
|||
|
Quote:
|
*********************************EXCERPT**************************************
Today, 08:43 AM
|
|||
|
It's not a remote vulnerability, but a privilege escalation. It's not the first one and they have never been "hidden".
Some people are not even affected — most people running with the grsec patchset, 32 bit kernels, and 64 bit kernels without 32 bit compatibility enabled. |
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
