rssLink RSS for all categories
 
icon_red
icon_green
icon_red
icon_red
icon_blue
icon_green
icon_green
icon_red
icon_red
icon_red
icon_orange
icon_green
icon_green
icon_green
icon_green
icon_blue
icon_green
icon_orange
icon_red
icon_green
icon_red
icon_red
icon_green
icon_red
icon_red
icon_red
icon_red
icon_orange
icon_green
 

FS#4704 — FS#8636 — Local Linux root exploit 2.6.37 - 3..8.8

Attached to Project— Dedicated servers
Incident
all (dedicated servers)
CLOSED
100%
A root exploit has just been published.

While we have not been able to exploit this vulnerability
on a GRSEC kernel, it could cause servers to crash under certain conditions.

We released the 3.8.13 kernel today.
All OVH kernel distributions are now delivered
with the latest Linux kernel.

If your server uses NetBoot, you can simply reboot it.
If not, you can install the new kernel manually by clicking here:

[GRS] ftp://ftp.ovh.net/made-in-ovh/bzImage/3.8.13/bzImage-3.8.13-xxxx-grs-ipv6-64
[STD] ftp://ftp.ovh.net/made-in-ovh/bzImage/3.8.13/bzImage-3.8.13-xxxx-std-ipv6-64

Or for VMs:
[GRS] ftp://ftp.ovh.net/made-in-ovh/bzImage/3.8.13/bzImage-3.8.13-vps-grs-ipv6-64
[STD] ftp://ftp.ovh.net/made-in-ovh/bzImage/3.8.13/bzImage-3.8.13-vps-std-ipv6-64

In addition to fixing this loophole, the new kernel also brings improved performances,
especially for the network.

Redhat RHEL 6.0 (but not 5.0) has also been affected:
https://bugzilla.redhat.com/show_bug.cgi?id=962792

Almost all distributions have this vulnerability.


*** Mitigation ***

The exploit is no longer functional after changing the kernel.perf_event_paranoid parameter:
# sysctl kernel.perf_event_paranoid=2

However, this does not correct the underlying vulnerability, thus
rebooting the server onto the new kernel ASAP is highly recommended.
Date:  Wednesday, 31 July 2013, 13:42PM
Reason for closing:  Done
Comment by OVH - Thursday, 16 May 2013, 12:18PM

During a manual soft reboot, some installations of OVH Release 2 (based on gentoo) are blocking after shutdown instead of restarting. This is due to the devtmpfs still inknown to gentoo scripts. The fix is simple:

sed -i "s/devfs|tmpfs/devfs|devtmpfs|tmpfs/g" /etc/init.d/halt.sh