[UCI-Linux] [Network-security-alerts] RHEL/CentOS kernel exploit leads to system compromise

Adam Brenner aebrenne at uci.edu
Tue Feb 25 14:44:18 PST 2014


May you please provide us more information about this release? Does a
CVE report exists?

Before we start running around and upgrading machines, causing
downtime, etc. I went ahead and took a look at the past three months
CVE reports and could not find anything pointing to this.

The closet match was a report back in December[1] where a local user
could leak kernel memory to the user space -- this was considered a
LOW priority. Nothing on the CentOS[2] announce list also reports of
anything like this.

All my googling efforts only show up the last big exploit of CVE-2013-2094[3]

[1]: https://rhn.redhat.com/errata/RHSA-2013-1801.html
[2]: http://lists.centos.org/pipermail/centos-announce/
[3]: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2094

Adam Brenner
Computer Science, Undergraduate Student
Donald Bren School of Information and Computer Sciences

System Administrator, HPC Cluster
Office of Information Technology

University of California, Irvine
aebrenne at uci.edu

On Tue, Feb 25, 2014 at 2:01 PM, Mike Iglesias <iglesias at uci.edu> wrote:
> We have received information that there is a kernel exploit that affects
> RHEL/CentOS  5 and 6 that can lead to a system compromise.  The information
> notes that the attackers used valid credentials to log in and after the kernel
> exploit was used to gain root, the sshd, ssh, and scp binaries were replaced
> with copies that logged IDs and passwords to file(s) in /var/lib/games/.src
> for later use.
> RHEL 6 boxes running kernel 2.6.32-358 and older are vulnerable.  Kernel
> 2.6.32-431 does not appear to be vulnerable.  On CentOS 5, kernel 2.6.18-348
> and older are vulnerable, but 2.6.18-371 is not.  No information was provided
> for RHEL 5, but I would assume it's vulnerable as well with the same kernel
> versions.
> If you are running a system with a vulnerable kernel, you should upgrade the
> kernel and check your sshd/ssh/scp binaries to make sure they have not been
> replaced.  The systems that were successfully attacked were shell servers at
> another university, so systems like cluster front-ends are targets that should
> be looked at closely.
> If you have any questions please let me know.
> --
> Mike Iglesias                          Email:       iglesias at uci.edu
> University of California, Irvine       phone:       949-824-6926
> Office of Information Technology       FAX:         949-824-2270
> _______________________________________________
> List-Info: https://maillists.uci.edu/mailman/listinfo/network-security-alerts

More information about the UCI-Linux mailing list