[Users] New kernel vuln...

Michael Stauber mstauber at blueonyx.it
Mon Aug 17 14:26:49 EDT 2009 

Hi Michael,

> OpenVZ Kernel jockies...
>
> Anyone like to comment on if they think this could be exploited from a
> guest VM to execute code on the host node?  
>
> CVE-2009-2692

I tested it on Friday with the exploit from Brad Spengler, which is mentioned 
on this page:

http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html

The exploit allows an unprivileged user to gain root access. However: The 
exploit (as is) *only* works on the master node. NOT inside a VE. Somehow the 
virtualization already takes care of it and prevents it when someone runs it 
inside a VE.

Those were my findings when I tested it on CentOS4 and CentOS5 master nodes 
with CentOS4 and CentOS5 VEs. Didn't test any other distributions, as they're 
of next to no importance to my clients.

So as long as no untrusted user has local access to the master node (or 
somehow manages to break out of a VE) you should be fine.

I was using the latest stable OpenVZ kernels at the time of the testing (and 
2-3 older ones on internal devel boxes that hadn't been updated). My kernels 
are just rebuilds from the OpenVZ SRPMs with different naming (not 
"ovzkernel", but back to "kernel"). The rest is "stock".

I already rolled up updated OpenVZ kernels for CentOS5 with the patch that 
Linus Torvalds posted on Friday:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98

A patched one for straight CentOS5 - *without* the OpenVZ stuff! - can be 
found here:

http://mirror.blueonyx.it/pub/BlueOnyx/5106R/CentOS5/blueonyx/testing/RPMS/

FWIW: The RedHat 2.6.18-128.4.1.el5 SRPM has about 8-10 patches which the 
OpenVZ  2.6.18-128.2.1 kernel is missing.I started looking up the CVE numbers 
to see what the missing patches were for (if the CVE numbers were given in the 
changelog), but it didn't appear to be anything overly worrysome. 

> This seems pretty serious and exploits are in the wild.

Yeah, if you're running an unvirtualized Linux you should be worried. If 
you're running CentOS, then especially so. It just took them 9 days to release 
a GLIBC update and the other "important" kernel and bind updates before that 
were also so late that it was nothing to write home about. I wonder how long 
it'll take them this time to rebuild the RedHat kernel SRPM and release it 
<sigh>. It's no longer funny what they do. 

-- 
With best regards

Michael Stauber
--> http://www.aventurin.net
----> http://www.blueonyx.it

More information about the Users mailing list