Want to subscribe to topics you're interested in?
Become a Member

Security Kernel Security Update: Local Privilege Escalation CVE-2016-5195

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Oct 21, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    12:35 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Security update for Linux Kernel coming soon for Kernel local privilege escalation security flaw (CVE-2016-5195). The bug report at Bug 1384344 – CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage


    Update October 25, 2016



    CentOS 7 & Redhat 7 is the first to get updated Kernel version for this flaw Red Hat Customer Portal
    • kernel-3.10.0-327.36.3.el7
    Update via YUM command
    Code (Text):
    yum update

    Then reboot server for changes to take affect.

    Update October 27, 2016



    CentOS 6 like 7, get their kernel fix updates CVE-2016-5195 - Red Hat Customer Portal So that leaves CentOS 5 still waiting.

    CentOS 6 Red Hat Customer Portal
    • kernel-2.6.32-642.6.2.el6
    Update via YUM command
    Code (Text):
    yum update

    Then reboot server for changes to take affect.
     
    Last edited: Oct 27, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    12:35 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Seems like Redhat 6 and 7 and those CentOS 6 and 7 kernel updates are listed as pending still so not yet available. So keep an eye on Kernel Local Privilege Escalation - CVE-2016-5195 and CVE-2016-5195 - Red Hat Customer Portal

    Also check out dirtycow.ninja and VulnerabilityDetails · dirtycow/dirtycow.github.io Wiki · GitHub

    VulnerabilityDetails · dirtycow/dirtycow.github.io Wiki · GitHub

     
    Last edited: Oct 21, 2016
  3. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    12:35 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    More coverage “Most serious” Linux privilege-escalation bug ever is under active exploit | Ars Technica

     
  4. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    12:35 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    FYI, for linode users, they have released 4.8.3 Kernels for their users for this security flaw Linode Blog » Linux “Dirty Cow” Vulnerability (CVE-2016-5195)

    nice
    Code (Text):
    uname -a     
    Linux XXX.XXXX 4.8.3-x86_64-linode76 #1 SMP Thu Oct 20 19:05:39 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux
    
     
    Last edited: Oct 22, 2016
  5. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    12:35 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    FYI, if you web host uses KernelCare, they have released patched Kernels for this security flaw too. Some OpenVZ VPS hosts of mine use KernelCare :)

     
  6. cloud9

    cloud9 Active Member

    142
    54
    28
    Oct 6, 2015
    England
    Ratings:
    +75
    Local Time:
    3:35 AM
    1.17.x
    10.x
    I use KernalCare on my KVM's - Been using it for quite a few years now - Really good :)
     
  7. pamamolf

    pamamolf Premium Member Premium Member

    3,944
    399
    83
    May 31, 2014
    Ratings:
    +775
    Local Time:
    5:35 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Let's wait Red Hat also for the native patch :)
     
  8. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    12:35 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Nice been wanting to try KernelCare on some of my more important servers. But my main Linode ones seem taken care of kernel wise. Does KernelCare still require a reboot for this ?
    yeah soon.. though if you're only person with access to the server probably not that big of a deal AFAIK.
     
  9. pamamolf

    pamamolf Premium Member Premium Member

    3,944
    399
    83
    May 31, 2014
    Ratings:
    +775
    Local Time:
    5:35 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    I was use Ksplice before and Kernel Care also and never need any restart to get patches active :)
     
  10. cloud9

    cloud9 Active Member

    142
    54
    28
    Oct 6, 2015
    England
    Ratings:
    +75
    Local Time:
    3:35 AM
    1.17.x
    10.x
  11. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    12:35 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  12. Matt

    Matt Well-Known Member

    869
    394
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +615
    Local Time:
    3:35 AM
    1.5.15
    MariaDB 10.2
    I've been testing on one of my SYS servers to try and get the default CentOS kernel to load, rather than the OVH GRS one, and after 3 hours, it's still a no-go :(
     
  13. cloud9

    cloud9 Active Member

    142
    54
    28
    Oct 6, 2015
    England
    Ratings:
    +75
    Local Time:
    3:35 AM
    1.17.x
    10.x
    @Matt I have never used OVH, Whats the OVH GRS CentOS ? Can you not use the default kernel on the OVH servers ?
     
  14. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    12:35 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    ouch i haven't tried that myself on SoYouStart as i normally install CentOS out of the box using distro default kernel instead of SYS/OVH grs custom kernels.

    @cloud9 OVH/SoYouStart by default on CentOS use their own custom grs secure kernels which don't always play nice. But you can choose to use CentOS default distro kernels at install time. But i haven't tried switching from grs to distro kernel before on OVH/SYS

    soyoustart-centos7-reinstall-00.png
    soyoustart-centos7-reinstall-02.png
     
  15. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    12:35 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  16. Matt

    Matt Well-Known Member

    869
    394
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +615
    Local Time:
    3:35 AM
    1.5.15
    MariaDB 10.2
  17. Matt

    Matt Well-Known Member

    869
    394
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +615
    Local Time:
    3:35 AM
    1.5.15
    MariaDB 10.2
    and, because it's an SYS server, it doesn't have KVM, so I can't see any error messages which could be causing it not to boot.
     
  18. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    12:35 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    believe you can pay for KVM enable access for SYS for 24hrs IIRC - probably best way instead of stabbing in the dark :)
     
  19. Matt

    Matt Well-Known Member

    869
    394
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +615
    Local Time:
    3:35 AM
    1.5.15
    MariaDB 10.2
    Not for £27 I'm not!
     
  20. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    10:35 AM
    latest
    latest
    OpenVZ 2.6.32-43-pve

    That is still vulnerable right?