SecurityFocus: Linux kernel memory access vulnerabilities, exploit included to get you root account on stock kernels between 2.6.17 and 2.6.24.1. Web hosts responded — Holy !$#&!!! CentOS 5, Ubuntu Edgy-Gutsy, Debian Etch — all these Linux distributions are affected. Basically a local user can gain root access, and with help from vulnerable applications that allow executing arbitrary local code, a remote user might be able to take over the entire system.
It is great to see hosts taking security seriously (especially those providing SSH access to shared hosting accounts). Looking at my list of hosting accounts:
- SliceHost — not vulnerable as they run Linux 2.6.16.
- Linode — new kernel images created within 24 hours of security alert.
- VPSLink — can’t find any discussion on their forums. My VPS there was running 2.6.9 so it should be secure, but I heard there are servers running newer 2.6.18 kernels from OpenVZ.
- DreamHost — “What security issue? We are still running 2.4 kernels!”
- NearlyFreeSpeech — “What security issue? FreeBSD ftw!”
A bad bad week for Linux for sure. Time to press that panic button.
Delicious
Digg
Reddit
Comments
No Xen or Virtuozzo/OpenVZ VPS’s are vulnerable to root exploit (in my testing). Under Xen it locks up the VPS and under Virtuozzo/OpenVZ it causes a non-fatal OOPs. The SecurityFocus report is listing the only non-vulnerable kernel as 2.6.24.1.
Correction: OpenVZ servers do an OOPs, for some reason Virtuozzo nodes (running 2.6.18) do not and continue to run properly.
Thanks Matt for confirming the situation for VPS users!
OpenVZ servers can become unstable after running the exploit. It did cause a console event on a Debian hardware server.
Happily installing a patch proved to be quite easy and the newest version of OpenVZ was not affected at all.
This just highlights the problem with unmanaged web facing systems. Its great that the main players acted promptly.
Post new comment