Discover Centmin Mod today
Register Now

Security Kernel Security Update: Local Privilege Escalation CVE-2016-5195

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Oct 21, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,574
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,756
    Local Time:
    8:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    Security update for Linux Kernel coming soon for Kernel local privilege escalation security flaw (CVE-2016-5195). The bug report at Bug 1384344 – CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage

    Update October 25, 2016



    CentOS 7 & Redhat 7 is the first to get updated Kernel version for this flaw Red Hat Customer Portal
    • kernel-3.10.0-327.36.3.el7
    Update via YUM command
    Code (Text):
    yum update

    Then reboot server for changes to take affect.

    Update October 27, 2016



    CentOS 6 like 7, get their kernel fix updates CVE-2016-5195 - Red Hat Customer Portal So that leaves CentOS 5 still waiting.

    CentOS 6 Red Hat Customer Portal
    • kernel-2.6.32-642.6.2.el6
    Update via YUM command
    Code (Text):
    yum update

    Then reboot server for changes to take affect.
     
    Last edited: Oct 27, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,574
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,756
    Local Time:
    8:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    Seems like Redhat 6 and 7 and those CentOS 6 and 7 kernel updates are listed as pending still so not yet available. So keep an eye on Kernel Local Privilege Escalation - CVE-2016-5195 and CVE-2016-5195 - Red Hat Customer Portal

    Also check out dirtycow.ninja and VulnerabilityDetails · dirtycow/dirtycow.github.io Wiki · GitHub

    VulnerabilityDetails · dirtycow/dirtycow.github.io Wiki · GitHub

     
    Last edited: Oct 21, 2016
  3. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,574
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,756
    Local Time:
    8:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    More coverage “Most serious” Linux privilege-escalation bug ever is under active exploit | Ars Technica

     
    • Informative Informative x 1
  4. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,574
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,756
    Local Time:
    8:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    FYI, for linode users, they have released 4.8.3 Kernels for their users for this security flaw Linode Blog » Linux “Dirty Cow” Vulnerability (CVE-2016-5195)

    nice
    Code (Text):
    uname -a     
    Linux XXX.XXXX 4.8.3-x86_64-linode76 #1 SMP Thu Oct 20 19:05:39 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux
    
     
    Last edited: Oct 22, 2016
  5. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,574
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,756
    Local Time:
    8:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    FYI, if you web host uses KernelCare, they have released patched Kernels for this security flaw too. Some OpenVZ VPS hosts of mine use KernelCare :)

     
  6. cloud9

    cloud9 Premium Member Premium Member

    140
    54
    28
    Oct 6, 2015
    England
    Ratings:
    +75
    Local Time:
    11:08 PM
    1.11.x
    10.x
    I use KernalCare on my KVM's - Been using it for quite a few years now - Really good :)
     
    • Like Like x 1
  7. pamamolf

    pamamolf Well-Known Member

    2,491
    229
    63
    May 31, 2014
    Ratings:
    +390
    Local Time:
    1:08 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Let's wait Red Hat also for the native patch :)
     
    • Like Like x 1
  8. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,574
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,756
    Local Time:
    8:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    Nice been wanting to try KernelCare on some of my more important servers. But my main Linode ones seem taken care of kernel wise. Does KernelCare still require a reboot for this ?
    yeah soon.. though if you're only person with access to the server probably not that big of a deal AFAIK.
     
    • Agree Agree x 1
  9. pamamolf

    pamamolf Well-Known Member

    2,491
    229
    63
    May 31, 2014
    Ratings:
    +390
    Local Time:
    1:08 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    I was use Ksplice before and Kernel Care also and never need any restart to get patches active :)
     
    • Like Like x 1
  10. cloud9

    cloud9 Premium Member Premium Member

    140
    54
    28
    Oct 6, 2015
    England
    Ratings:
    +75
    Local Time:
    11:08 PM
    1.11.x
    10.x
    • Like Like x 1
  11. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,574
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,756
    Local Time:
    8:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    • Agree Agree x 1
  12. Matt

    Matt Moderator Staff Member

    680
    314
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +433
    Local Time:
    11:08 PM
    1.7.1
    MariaDB 10
    I've been testing on one of my SYS servers to try and get the default CentOS kernel to load, rather than the OVH GRS one, and after 3 hours, it's still a no-go :(
     
  13. cloud9

    cloud9 Premium Member Premium Member

    140
    54
    28
    Oct 6, 2015
    England
    Ratings:
    +75
    Local Time:
    11:08 PM
    1.11.x
    10.x
    @Matt I have never used OVH, Whats the OVH GRS CentOS ? Can you not use the default kernel on the OVH servers ?
     
  14. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,574
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,756
    Local Time:
    8:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    ouch i haven't tried that myself on SoYouStart as i normally install CentOS out of the box using distro default kernel instead of SYS/OVH grs custom kernels.

    @cloud9 OVH/SoYouStart by default on CentOS use their own custom grs secure kernels which don't always play nice. But you can choose to use CentOS default distro kernels at install time. But i haven't tried switching from grs to distro kernel before on OVH/SYS

    soyoustart-centos7-reinstall-00.png
    soyoustart-centos7-reinstall-02.png
     
    • Informative Informative x 1
  15. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,574
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,756
    Local Time:
    8:08 AM
    Nginx 1.13.x
    MariaDB 5.5
  16. Matt

    Matt Moderator Staff Member

    680
    314
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +433
    Local Time:
    11:08 PM
    1.7.1
    MariaDB 10
  17. Matt

    Matt Moderator Staff Member

    680
    314
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +433
    Local Time:
    11:08 PM
    1.7.1
    MariaDB 10
    and, because it's an SYS server, it doesn't have KVM, so I can't see any error messages which could be causing it not to boot.
     
  18. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,574
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,756
    Local Time:
    8:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    believe you can pay for KVM enable access for SYS for 24hrs IIRC - probably best way instead of stabbing in the dark :)
     
  19. Matt

    Matt Moderator Staff Member

    680
    314
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +433
    Local Time:
    11:08 PM
    1.7.1
    MariaDB 10
    Not for £27 I'm not!
     
    • Funny Funny x 1
  20. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +161
    Local Time:
    6:08 AM
    latest
    latest
    OpenVZ 2.6.32-43-pve

    That is still vulnerable right?