[Users] New kernel vuln...
Michael Stauber
mstauber at blueonyx.it
Mon Aug 17 14:26:49 EDT 2009
Hi Michael,
> OpenVZ Kernel jockies...
>
> Anyone like to comment on if they think this could be exploited from a
> guest VM to execute code on the host node?
>
> CVE-2009-2692
I tested it on Friday with the exploit from Brad Spengler, which is mentioned
on this page:
http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
The exploit allows an unprivileged user to gain root access. However: The
exploit (as is) *only* works on the master node. NOT inside a VE. Somehow the
virtualization already takes care of it and prevents it when someone runs it
inside a VE.
Those were my findings when I tested it on CentOS4 and CentOS5 master nodes
with CentOS4 and CentOS5 VEs. Didn't test any other distributions, as they're
of next to no importance to my clients.
So as long as no untrusted user has local access to the master node (or
somehow manages to break out of a VE) you should be fine.
I was using the latest stable OpenVZ kernels at the time of the testing (and
2-3 older ones on internal devel boxes that hadn't been updated). My kernels
are just rebuilds from the OpenVZ SRPMs with different naming (not
"ovzkernel", but back to "kernel"). The rest is "stock".
I already rolled up updated OpenVZ kernels for CentOS5 with the patch that
Linus Torvalds posted on Friday:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98
A patched one for straight CentOS5 - *without* the OpenVZ stuff! - can be
found here:
http://mirror.blueonyx.it/pub/BlueOnyx/5106R/CentOS5/blueonyx/testing/RPMS/
FWIW: The RedHat 2.6.18-128.4.1.el5 SRPM has about 8-10 patches which the
OpenVZ 2.6.18-128.2.1 kernel is missing.I started looking up the CVE numbers
to see what the missing patches were for (if the CVE numbers were given in the
changelog), but it didn't appear to be anything overly worrysome.
> This seems pretty serious and exploits are in the wild.
Yeah, if you're running an unvirtualized Linux you should be worried. If
you're running CentOS, then especially so. It just took them 9 days to release
a GLIBC update and the other "important" kernel and bind updates before that
were also so late that it was nothing to write home about. I wonder how long
it'll take them this time to rebuild the RedHat kernel SRPM and release it
<sigh>. It's no longer funny what they do.
--
With best regards
Michael Stauber
--> http://www.aventurin.net
----> http://www.blueonyx.it
More information about the Users
mailing list