[BlueOnyx:02135] New CentOS5 kernel in BX-Testing - fixes vulnerability CVE-2009-2692
Michael Stauber
mstauber at blueonyx.it
Sun Aug 16 10:39:45 -05 2009
Hi all,
A vulnerability (Null pointer dereference) has been found in all Linux 2.4/2.6
kernel versions since May 2001. This vulnerability could allow a local
unprivileged user to gain root access. An exploit for it is already in the
wild and usage of the exploit is fairly simple.
This vulnerability (of course) also affects the latest CentOS5 kernel on
BlueOnyx.
More info on the vulnerability:
http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
http://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070197.html
https://bugzilla.redhat.com/show_bug.cgi?id=516949#c10
Linus Torvalds commented on this last Friday and submitted at patch into the
code repository at kernel.org:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98
As of right now there is no official patched kernel available from either
RedHat or CentOS. One for Fedora is out though. The one from RedHat will
probably around sometime early next week and the one from CentOS might take a
bit longer - as usual (they just sat on a glibc update for nine days).
As I rolled up a fixed kernel for Aventurin{e} anyway I went one step further
and build a separate for BlueOnyx, too.
*PLEASE NOTE:* This updated kernel is not tested that well. It's tested in so
far that it boots on the test machines I have access to. It's also tested that
it closes the vulnerability CVE-2009-2692 mentioned here. It still may not
work for you, although nothing speaks against it.
For this reason this kernel is in the BlueOnyx-Testing repository, which is
disabled by default.
So you can either choose if you want to risk it with this custom kernel, or
you can choose if you want to wait for the official CentOS kernel.
As mentioned above: The exploit requires local access (either through a shell
account, or through a vulnerable (web) application for example.
How to enable the testing repository:
--------------------------------------------
(The testing repository has been cleaned out, so only the custom kernel is in
it and no "other surprises".)
As "root" edit this file on your server:
/etc/yum.repos.d/BlueOnyx.repo
Find the following section at the bottom:
[BlueOnyx-Testing]
name=BlueOnyx 5106R Testing - $basearch
#baseurl=http://www.blueonyx.it/pub/BlueOnyx/5106R/CentOS5/blueonyx/testing/
mirrorlist=http://www.blueonyx.it/mirror.php?release=$releasever&arch=testing
gpgcheck=1
enabled=0
gpgkey=http://www.blueonyx.it/pub/BlueOnyx/RPM-GPG-KEY-NUSOL-5106R
In it set the switch "enabled=0" to "enabled=1".
Then run "yum clean all" and "yum update". That should download the updated
kernel. For easy identification it has the extension "bx02" at the end.
After the yum update edit the yum repository file again to set the testing
repository back to disabled.
Then reboot your server. Don't skip this step, as you need to boot into the
new kernel to be protected.
To confirm that your server has booted the correct kernel, run "uname -r". It
should report something like this:
2.6.18-128.4.2.el5.bx02
...or...
2.6.18-128.4.2.el5.bx02-PAE
The important part in the name is "bx02". If it's not showing that, then your
box has booted an unpatched (stock) kernel.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list