[UCI-Linux] [Network-security-alerts] RHEL/CentOS kernel exploit leads to system compromise
Adam Brenner
aebrenne at uci.edu
Tue Feb 25 14:44:18 PST 2014
Mike,
May you please provide us more information about this release? Does a
CVE report exists?
Before we start running around and upgrading machines, causing
downtime, etc. I went ahead and took a look at the past three months
CVE reports and could not find anything pointing to this.
The closet match was a report back in December[1] where a local user
could leak kernel memory to the user space -- this was considered a
LOW priority. Nothing on the CentOS[2] announce list also reports of
anything like this.
All my googling efforts only show up the last big exploit of CVE-2013-2094[3]
[1]: https://rhn.redhat.com/errata/RHSA-2013-1801.html
[2]: http://lists.centos.org/pipermail/centos-announce/
[3]: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2094
--
Adam Brenner
Computer Science, Undergraduate Student
Donald Bren School of Information and Computer Sciences
System Administrator, HPC Cluster
Office of Information Technology
http://hpc.oit.uci.edu/
University of California, Irvine
www.ics.uci.edu/~aebrenne/
aebrenne at uci.edu
On Tue, Feb 25, 2014 at 2:01 PM, Mike Iglesias <iglesias at uci.edu> wrote:
> We have received information that there is a kernel exploit that affects
> RHEL/CentOS 5 and 6 that can lead to a system compromise. The information
> notes that the attackers used valid credentials to log in and after the kernel
> exploit was used to gain root, the sshd, ssh, and scp binaries were replaced
> with copies that logged IDs and passwords to file(s) in /var/lib/games/.src
> for later use.
>
> RHEL 6 boxes running kernel 2.6.32-358 and older are vulnerable. Kernel
> 2.6.32-431 does not appear to be vulnerable. On CentOS 5, kernel 2.6.18-348
> and older are vulnerable, but 2.6.18-371 is not. No information was provided
> for RHEL 5, but I would assume it's vulnerable as well with the same kernel
> versions.
>
> If you are running a system with a vulnerable kernel, you should upgrade the
> kernel and check your sshd/ssh/scp binaries to make sure they have not been
> replaced. The systems that were successfully attacked were shell servers at
> another university, so systems like cluster front-ends are targets that should
> be looked at closely.
>
> If you have any questions please let me know.
>
>
> --
> Mike Iglesias Email: iglesias at uci.edu
> University of California, Irvine phone: 949-824-6926
> Office of Information Technology FAX: 949-824-2270
>
> _______________________________________________
> List-Info: https://maillists.uci.edu/mailman/listinfo/network-security-alerts
More information about the UCI-Linux
mailing list