[UCI-Linux] RHEL/CentOS kernel exploit leads to system compromise
iglesias at uci.edu
Tue Feb 25 14:01:25 PST 2014
We have received information that there is a kernel exploit that affects
RHEL/CentOS 5 and 6 that can lead to a system compromise. The information
notes that the attackers used valid credentials to log in and after the kernel
exploit was used to gain root, the sshd, ssh, and scp binaries were replaced
with copies that logged IDs and passwords to file(s) in /var/lib/games/.src
for later use.
RHEL 6 boxes running kernel 2.6.32-358 and older are vulnerable. Kernel
2.6.32-431 does not appear to be vulnerable. On CentOS 5, kernel 2.6.18-348
and older are vulnerable, but 2.6.18-371 is not. No information was provided
for RHEL 5, but I would assume it's vulnerable as well with the same kernel
If you are running a system with a vulnerable kernel, you should upgrade the
kernel and check your sshd/ssh/scp binaries to make sure they have not been
replaced. The systems that were successfully attacked were shell servers at
another university, so systems like cluster front-ends are targets that should
be looked at closely.
If you have any questions please let me know.
Mike Iglesias Email: iglesias at uci.edu
University of California, Irvine phone: 949-824-6926
Office of Information Technology FAX: 949-824-2270
More information about the UCI-Linux