Learn about Centmin Mod LEMP Stack today
Register Now

Security Kernel Security Update: Local Privilege Escalation CVE-2016-5195

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Oct 21, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:35 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Security update for Linux Kernel coming soon for Kernel local privilege escalation security flaw (CVE-2016-5195). The bug report at Bug 1384344 – CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage

    Update October 25, 2016




    CentOS 7 & Redhat 7 is the first to get updated Kernel version for this flaw Red Hat Customer Portal
    • kernel-3.10.0-327.36.3.el7
    Update via YUM command
    Code (Text):
    yum update

    Then reboot server for changes to take affect.

    Update October 27, 2016



    CentOS 6 like 7, get their kernel fix updates CVE-2016-5195 - Red Hat Customer Portal So that leaves CentOS 5 still waiting.

    CentOS 6 Red Hat Customer Portal
    • kernel-2.6.32-642.6.2.el6
    Update via YUM command
    Code (Text):
    yum update

    Then reboot server for changes to take affect.
     
    Last edited: Oct 27, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:35 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Seems like Redhat 6 and 7 and those CentOS 6 and 7 kernel updates are listed as pending still so not yet available. So keep an eye on Kernel Local Privilege Escalation - CVE-2016-5195 and CVE-2016-5195 - Red Hat Customer Portal

    Also check out dirtycow.ninja and VulnerabilityDetails · dirtycow/dirtycow.github.io Wiki · GitHub

    VulnerabilityDetails · dirtycow/dirtycow.github.io Wiki · GitHub

     
    Last edited: Oct 21, 2016
  3. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:35 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More coverage “Most serious” Linux privilege-escalation bug ever is under active exploit | Ars Technica

     
  4. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:35 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, for linode users, they have released 4.8.3 Kernels for their users for this security flaw Linode Blog » Linux “Dirty Cow” Vulnerability (CVE-2016-5195)

    nice
    Code (Text):
    uname -a     
    Linux XXX.XXXX 4.8.3-x86_64-linode76 #1 SMP Thu Oct 20 19:05:39 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux
    
     
    Last edited: Oct 22, 2016
  5. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:35 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, if you web host uses KernelCare, they have released patched Kernels for this security flaw too. Some OpenVZ VPS hosts of mine use KernelCare :)

     
  6. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    1:35 PM
    1.25.3
    10.6.x
    I use KernalCare on my KVM's - Been using it for quite a few years now - Really good :)
     
  7. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    3:35 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Let's wait Red Hat also for the native patch :)
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:35 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Nice been wanting to try KernelCare on some of my more important servers. But my main Linode ones seem taken care of kernel wise. Does KernelCare still require a reboot for this ?
    yeah soon.. though if you're only person with access to the server probably not that big of a deal AFAIK.
     
  9. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    3:35 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    I was use Ksplice before and Kernel Care also and never need any restart to get patches active :)
     
  10. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    1:35 PM
    1.25.3
    10.6.x
  11. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:35 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  12. Matt

    Matt Well-Known Member

    932
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    1:35 PM
    1.5.15
    MariaDB 10.2
    I've been testing on one of my SYS servers to try and get the default CentOS kernel to load, rather than the OVH GRS one, and after 3 hours, it's still a no-go :(
     
  13. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    1:35 PM
    1.25.3
    10.6.x
    @Matt I have never used OVH, Whats the OVH GRS CentOS ? Can you not use the default kernel on the OVH servers ?
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:35 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    ouch i haven't tried that myself on SoYouStart as i normally install CentOS out of the box using distro default kernel instead of SYS/OVH grs custom kernels.

    @cloud9 OVH/SoYouStart by default on CentOS use their own custom grs secure kernels which don't always play nice. But you can choose to use CentOS default distro kernels at install time. But i haven't tried switching from grs to distro kernel before on OVH/SYS

    soyoustart-centos7-reinstall-00.png
    soyoustart-centos7-reinstall-02.png
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:35 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  16. Matt

    Matt Well-Known Member

    932
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    1:35 PM
    1.5.15
    MariaDB 10.2
  17. Matt

    Matt Well-Known Member

    932
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    1:35 PM
    1.5.15
    MariaDB 10.2
    and, because it's an SYS server, it doesn't have KVM, so I can't see any error messages which could be causing it not to boot.
     
  18. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:35 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    believe you can pay for KVM enable access for SYS for 24hrs IIRC - probably best way instead of stabbing in the dark :)
     
  19. Matt

    Matt Well-Known Member

    932
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    1:35 PM
    1.5.15
    MariaDB 10.2
    Not for £27 I'm not!
     
  20. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    9:35 PM
    latest
    latest
    OpenVZ 2.6.32-43-pve

    That is still vulnerable right?