[UCI-Linux] [Network-security-alerts] RHEL/CentOS kernel exploit leads to system compromise

Adam Brenner aebrenne at uci.edu
Tue Feb 25 14:44:18 PST 2014


Mike,

May you please provide us more information about this release? Does a
CVE report exists?

Before we start running around and upgrading machines, causing
downtime, etc. I went ahead and took a look at the past three months
CVE reports and could not find anything pointing to this.

The closet match was a report back in December[1] where a local user
could leak kernel memory to the user space -- this was considered a
LOW priority. Nothing on the CentOS[2] announce list also reports of
anything like this.

All my googling efforts only show up the last big exploit of CVE-2013-2094[3]

[1]: https://rhn.redhat.com/errata/RHSA-2013-1801.html
[2]: http://lists.centos.org/pipermail/centos-announce/
[3]: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2094

--
Adam Brenner
Computer Science, Undergraduate Student
Donald Bren School of Information and Computer Sciences

System Administrator, HPC Cluster
Office of Information Technology
http://hpc.oit.uci.edu/

University of California, Irvine
www.ics.uci.edu/~aebrenne/
aebrenne at uci.edu


On Tue, Feb 25, 2014 at 2:01 PM, Mike Iglesias <iglesias at uci.edu> wrote:
> We have received information that there is a kernel exploit that affects
> RHEL/CentOS  5 and 6 that can lead to a system compromise.  The information
> notes that the attackers used valid credentials to log in and after the kernel
> exploit was used to gain root, the sshd, ssh, and scp binaries were replaced
> with copies that logged IDs and passwords to file(s) in /var/lib/games/.src
> for later use.
>
> RHEL 6 boxes running kernel 2.6.32-358 and older are vulnerable.  Kernel
> 2.6.32-431 does not appear to be vulnerable.  On CentOS 5, kernel 2.6.18-348
> and older are vulnerable, but 2.6.18-371 is not.  No information was provided
> for RHEL 5, but I would assume it's vulnerable as well with the same kernel
> versions.
>
> If you are running a system with a vulnerable kernel, you should upgrade the
> kernel and check your sshd/ssh/scp binaries to make sure they have not been
> replaced.  The systems that were successfully attacked were shell servers at
> another university, so systems like cluster front-ends are targets that should
> be looked at closely.
>
> If you have any questions please let me know.
>
>
> --
> Mike Iglesias                          Email:       iglesias at uci.edu
> University of California, Irvine       phone:       949-824-6926
> Office of Information Technology       FAX:         949-824-2270
>
> _______________________________________________
> List-Info: https://maillists.uci.edu/mailman/listinfo/network-security-alerts


More information about the UCI-Linux mailing list