PDA

View Full Version : [WARNING]Unpatched Linux exploit



DoeNietWil
December 8th, 2010, 09:12 PM
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0086.html

CVE-2010-4258 needs a patch, or the exploit could get ported to newer versions.

Spice Weasel
December 8th, 2010, 09:16 PM
Sigh..

Let's hope everything gets sorted out quickly.

Old_Grey_Wolf
December 9th, 2010, 01:44 AM
It was only reported on 2 December 2010 depending on your time zone. Give the developers some time to fix it. It is currently 8 December 2010 in my time zone. Some operating systems can take months to fix an exploit. If it is an upstream Linux Kernel vulnerability; then, Canonical/Ubuntu really is not responsible for fixing it, although they could offer suggestions.

3Miro
December 9th, 2010, 01:53 AM
I cannot see clearly how it works. I seems like this can be done by a program that runs on your computer, so if you stick to the trusted repos you should be fine until a patch is out. I am worried if there is anything that I have to do right now to avoid the problem.

KIAaze
December 9th, 2010, 08:32 AM
I can confirm that it works.
It failed on Ubuntu 10.10 (even though it says for kernel <= 2.6.37 and I have 2.6.35-23-generic), but worked on older versions.

Tested successfully on:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.1 LTS
Release: 10.04
Codename: lucid
$ uname -a
Linux ***** 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686 GNU/Linux



$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 9.10
Release: 9.10
Codename: karmic
$ uname -a
Linux ***** 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux



Yes, it requires preliminary access to the machine as a normal user, but it's still a big security risk.

edit: Good news: It fails after all security updates on the same machines:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.1 LTS
Release: 10.04
Codename: lucid
$ uname -a
Linux ***** 2.6.32-26-generic #48-Ubuntu SMP Wed Nov 24 09:00:03 UTC 2010 i686 GNU/Linux

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 9.10
Release: 9.10
Codename: karmic
$ uname -a
Linux **** 2.6.31-22-generic-pae #69-Ubuntu SMP Wed Nov 24 09:04:58 UTC 2010 i686 GNU/Linux


So I'm assuming it has already been patched and updated systems should be safe.

NCLI
December 9th, 2010, 12:15 PM
I can confirm that it works.
It failed on Ubuntu 10.10 (even though it says for kernel <= 2.6.37 and I have 2.6.35-23-generic), but worked on older versions.

Tested successfully on:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.1 LTS
Release: 10.04
Codename: lucid
$ uname -a
Linux ***** 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686 GNU/Linux



$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 9.10
Release: 9.10
Codename: karmic
$ uname -a
Linux ***** 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux



Yes, it requires preliminary access to the machine as a normal user, but it's still a big security risk.

edit: Good news: It fails after all security updates on the same machines:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.1 LTS
Release: 10.04
Codename: lucid
$ uname -a
Linux ***** 2.6.32-26-generic #48-Ubuntu SMP Wed Nov 24 09:00:03 UTC 2010 i686 GNU/Linux

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 9.10
Release: 9.10
Codename: karmic
$ uname -a
Linux **** 2.6.31-22-generic-pae #69-Ubuntu SMP Wed Nov 24 09:04:58 UTC 2010 i686 GNU/Linux


So I'm assuming it has already been patched and updated systems should be safe.

If you rarely access your server, why not set it to install security updates automatically?

KIAaze
December 9th, 2010, 03:02 PM
It's not my server. :mrgreen: (and the other machine is virtual)

But don't worry, I'm also not accessing it illegally. ^^
And yes, I will set up auto updates on it.

Any good tips on how to do that?
Is adding "apt-get update" and "apt-get upgrade" to crontab the recommended way to do it? Any preference between using "/etc/crontab" or "sudo crontab -e"?

How can I know if a reboot is required? Should I automatically reboot (shouldn't cause to many problems for this specific server)?

Things I might also need:
-mail notifications for necessary reboots and available upgrades/dist upgrades
-logging of installed/upgraded/removed packages

nolag
December 9th, 2010, 03:06 PM
It was only reported on 2 December 2010 depending on your time zone. Give the developers some time to fix it. It is currently 8 December 2010 in my time zone. Some operating systems can take months to fix an exploit. If it is an upstream Linux Kernel vulnerability; then, Canonical/Ubuntu really is not responsible for fixing it, although they could offer suggestions.

Ubuntu may not be "responsible" for the bugs from upstream, but they can fix them not only suggest them. They would just make the fix in their kernel, and they can even post the code upstream to try to help them. By the sounds of things it is nothing to worry about anymore anyways :).

NCLI
December 9th, 2010, 04:00 PM
It's not my server. :mrgreen: (and the other machine is virtual)

But don't worry, I'm also not accessing it illegally. ^^
And yes, I will set up auto updates on it.

Any good tips on how to do that?
Is adding "apt-get update" and "apt-get upgrade" to crontab the recommended way to do it? Any preference between using "/etc/crontab" or "sudo crontab -e"?

How can I know if a reboot is required? Should I automatically reboot (shouldn't cause to many problems for this specific server)?

Things I might also need:
-mail notifications for necessary reboots and available upgrades/dist upgrades
-logging of installed/upgraded/removed packages

Read this (https://help.ubuntu.com/10.04/serverguide/C/automatic-updates.html) ;)

CharlesA
December 9th, 2010, 04:06 PM
Read this (https://help.ubuntu.com/10.04/serverguide/C/automatic-updates.html) ;)

Bingo.

I have my server set to send me an email if it needs a reboot. It's set for a mail server anyway, so why not?

Old_Grey_Wolf
December 10th, 2010, 04:05 AM
...they can even post the code upstream to try to help them.

That is what I meant by suggesting a fix. The upstream developers can accept or reject any code that is posted. :)