[UCI-Linux] RHEL/CentOS kernel exploit leads to system compromise

Mike Iglesias iglesias at uci.edu
Tue Feb 25 14:01:25 PST 2014

We have received information that there is a kernel exploit that affects
RHEL/CentOS  5 and 6 that can lead to a system compromise.  The information
notes that the attackers used valid credentials to log in and after the kernel
exploit was used to gain root, the sshd, ssh, and scp binaries were replaced
with copies that logged IDs and passwords to file(s) in /var/lib/games/.src
for later use.

RHEL 6 boxes running kernel 2.6.32-358 and older are vulnerable.  Kernel
2.6.32-431 does not appear to be vulnerable.  On CentOS 5, kernel 2.6.18-348
and older are vulnerable, but 2.6.18-371 is not.  No information was provided
for RHEL 5, but I would assume it's vulnerable as well with the same kernel

If you are running a system with a vulnerable kernel, you should upgrade the
kernel and check your sshd/ssh/scp binaries to make sure they have not been
replaced.  The systems that were successfully attacked were shell servers at
another university, so systems like cluster front-ends are targets that should
be looked at closely.

If you have any questions please let me know.

Mike Iglesias                          Email:       iglesias at uci.edu
University of California, Irvine       phone:       949-824-6926
Office of Information Technology       FAX:         949-824-2270

More information about the UCI-Linux mailing list