Linux Kernel Vunerability

[pete284]

The Register has reported :

A major security vulnerability in the Linux kernel, which was revealed on Sunday, has claimed its first confirmed UK victim in business ISP Claranet.

Hackers used a bug in the sys_vmsplice kernel call, which handles virtual memory management, to gain root privileges and replace Claranet customers' index.html files with the hacker's calling card.

The exploit was noticed at about 6pm on Tuesday.

Claranet said: "Malicious activity related to the vulnerability was detected on Claranet's shared hosting platform. Within 10 minutes Claranet contained and halted the malicious activity, and locked down the platform to prevent further damage.

"The shared hosting platform was fully patched with the vendor's updates by 10am on Wednesday. Less than one per cent of the total web sites hosted on the Claranet platform were affected and all were restored to their original states by 1pm on Wednesday 13 February."

The (potentially tricky) hacking process was dumbed down by the publication of exploit code earlier this week, Linux-Watch notes.

Security notification firm Secunia reports that switching to either version 2.6.23.16 or 2.6.24.2 of the Linux kernel guards against attack. Hotfixes designed to plug the vulnerability short of upgrading the kernel have also been released.

The affected system call first appeared in version 2.6.17 of the Linux kernel, but wasn't left open to exploit until changes were made with the 2.6.23 version.

Linux vendors are working on a permanent fix for the problem. Claranet emphasised that it keeps a close eye on announcements of new vulnerabilities and acts swiftly to patch them.

Apparently other forums report Ubuntu sent out a patch on 13th Feb

[Husse]

The affected system call first appeared in version 2.6.17 of the Linux kernel, but wasn't left open to exploit until changes were made with the 2.6.23 version.

As we have 2.6.22 we're probably safe

[clem]

You can get the Ubuntu patches in mintUpdate:

- open the preferences.
- make level 5 visible.
- sort the list of updates by level to see the kernel (level 5).
- clear the list to have nothing selected.
- select the kernel (linux-image-...)
- click install updates
- go back to preferences and make level 5 invisible again.

Now, before you do that... make sure you know why you're doing it. If you're a home user, behind a physical router + ISP (NAT and all) and you've been using kernel modules (nvidia drivers, restricted manager for wifi, virtualbox..etc..) you probably:

1- don't care about hackers.
2- do care about the stability of your system.

so in this case, don't bother upgrading. Things work now, will they work as well then?

If you're on standard hardware and exposed on the Internet (a server for instance) then you'll probably want to take the update.

It's up to you basically

Clem

[Husse]

And I point this out again

As we have 2.6.22 we're probably safe

I think you can skip probably
Clem I'm not bashing you just driving home the fact that we're safe

[clem]

No problem at all

[linuxviolin]

I think you can skip probably

No you should not skip this kernel update!

As we have 2.6.22 we're probably safe

No, "the problem affects only kernels 2.6.17 and newer" and for Ubuntu the exploit is confirmed for Gutsy (2.6.22-14-generic), Hardy (2.6.24), Feisty. Importance: high
See here or here (

A security issue affects the following Ubuntu releases:

Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Details follow:

Wojciech Purczynski discovered that the vmsplice system call did
not properly perform verification of user-memory pointers. A local
attacker could exploit this to overwrite arbitrary kernel memory
and gain root privileges. (CVE-2008-0600)

)

You can read here for more explications on this vmsplice problem.

When the word of this problem first came out, it was thought to only affect 2.6.23 and 2.6.24 kernels (...) In fact, the vulnerability was the result of a different problem - and it is a much worse one, in that kernels all the way back to 2.6.17 are affected. At this point, a large proportion of running Linux systems are vulnerable.

Ubuntu 6.10/7.04/7.10 patched it on Feb. 12.

[clem]

Related kernel patches were moved from Level 5 to Level 3.

Clem.

[NoClue!]

Will this break my nvidia and vbox drivers?

[clem]

You tell us

Since it's the same kernel I very much doubt so. But if it does please tell us immediately so we put this back to level 5. You know my position when it comes to stability vs security.

Clem.

[NoClue!]

Well, since Clem put me up to the challenge I took the kernel updates, did a restart and everything works fine. Safe and secure again. hehehe

[WoodCAT]

I'm glad to report, that my machine running ATI restricted drives+xgl+compiz-fusion survived well too.

[pete284]

I've updated the kernel and everything works fine for me too (I'm using the unrestricted drivers)

[Husse]

I feel a bit guilty here - but it was stated as above in the official announcement I was told
Sorry to have misinformed - will change the newsletter too

[akshunj]

Has anyone realized that kernel updates are showing up in mintUpdate as Level 3 - Safe to Install? I've attached a screenshot. Not sure what happened, but I NEVER do kernel updates and I almost screwed myself into a driver re-compiling nightmare. FYI...

--Akshun J

mintUpdate.png

[clem]

Yes, these particular versions of the kernel were moved to Level 3 (see above in the thread).

Clem

[akshunj]

Yes, these particular versions of the kernel were moved to Level 3 (see above in the thread).

Clem

Sorry, I wasn't reading as thoroughly as I should. It looks like this upgrade won't break drivers. Very nice. Thanks!

--Akshun J

[rootkowski]

Hi!

I heard the news some time ago but I thought i didn't have to bother since I'm behind a router. Anyway, I might just as well go and install the upgrade, but... I don't know if it is only the linux-image package that is required or should I install linux-headers as well (or maybe anything else too?).

Thanx!

[Husse]

It's only some headers
And it's only if you have more than one user that something bad could happen
But on the other hand we all have at least two users - root and the "Superuser"

[rootkowski]

It's only some headers
And it's only if you have more than one user that something bad could happen
But on the other hand we all have at least two users - root and the "Superuser"

Sorry, I don't really understand. When I mark linux-image synaptic doesn't tell me to install anything else, but that feels quite wrong. So I attach a picture of the upgradable kernel packages and if you could tell me what is necessary and useful.



Thanks!

[Husse]

You should use mintUpdate and then you get the right headers