If you’ve seen the news, there is a kernel exploit for 64-bit Linux operating systems. This exploit allows a local user to gain root level permissions on the server due to an issue with the 32-bit compatibility layer. Fortunately, we use Ksplice, so we’ve already patched our systems. This exploit cannot be done remotely, but if you have a web application security exploit, local exploits can become remote ones.
About CVE-2010-3081
A recently-discovered vulnerability, CVE-2010-3081, grants an attacker administrative, or “root”, access to 64-bit Linux systems. There have been various work arounds suggested by vendors and security experts while we await a patch. Red Hat has released a knowledge base article on this exploit. So far, we’ve not seen any systems compromised due to CVE-2010-3081.
KSplice Fix
On Saturday, rackAID’s partner, KSplice, released a fix for CVE-2010-3081. The rebootless update was the fastest way to close the CVE-2010-3081 vulnerability, as it requires no downtime or disruption. On Red Hat Enterprise Linux and CentOS the Ksplice update has been released before a traditional patch has been made available by the operating system vendor. This is just one of the benefits of a proactively managed system and adopting the best technologies to keep systems secure.
If you are enrolled in our server management program, then your server has already been patched.
Red Hat’s Work Around
If you are not using KSplice, then Red Hat has released a workaround that involves patching part of the system with an echo command. While they advise using this workaround, they warn that it is only known to protect against the initial exploit. A full kernel patch will be pushed out soon.
Exploits in the Wild
I am seeing some reports of active exploits “in the wild.” This is security jargon meaning that there are systems that have been exploited with this technique. If we end up working on a system that has been hit by this exploit, I will update this post with the details.