64-bit Linux: important security vulnerability identified

September 19, 2010 by Stéphane Jose in: Web Hosting Articles, iWeb Articles

Last friday a security vulnerability affecting 64-bit Linux operating systems has been identified (see: http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3081 and http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3301).

This vulnerability is potentially very harmful because it allows an ill-disposed hacker to take over a web server and give him full root access thanks to a backdoor.

The problem is even more important that this vulnerability seems to have been exploited much more rapidly than usual. Once a vulnerability is released it usually takes some time before hackers might try to exploit it.

This time the flaw is easily exploitable and the first reports were published by various web hosts barely 48 hours after the publication of the fault. Fortunately the problem can be countered by quickly updating the kernel of the system.

Debian and Ubuntu have released fixes, but those of CentOS and Redhat are still awaited(see update below):

Debian: http://security-tracker.debian.org/tracker/CVE-2010-3301
Ubuntu: http://www.ubuntu.com/usn/usn-988-1
CentOS/Redhat: https://access.redhat.com/kb/docs/DOC-40265

The company Ksplice has also published an application that allows you to check if the vulnerability has been exploited on a server and detects if a backdoor is running into memory. The tool is available here: http://www.ksplice.com/uptrack/cve-2010-3081

If you suspect that your server has been affected, please note that the hacker has possibly installed several other types of backdoors on the server. It is always possible to use the ‘chkrootkit’ command in order to check for known and detectable backdoors and rootkits.

It is also important that all applications running on a server are updated regularly as hackers particularly target Web sites that use flaws in outdated applications (for instance Joomla ou Wordpress) to bypass normal security measures.

As for iWeb, we have encountered the problem on one of our shared hosting servers, but we are in control of the situation. We have implemented several measures that allow us to protect our shared hosting environments and we closely monitor our customers’ dedicated servers until final security fixes are available.

UPDATE: New kernels by Redhat and CentOS that address the vulnerability (CVE-2010-3081) have now been released. They are available here:

Official Redhat release: kernel-2.6.18-194.11.4.el5.rpm https://rhn.redhat.com/errata/RHSA-2010-0704.html

CentOS: note that it is a patched kernel that has been posted by CentOS in the test repository without waiting for RedHat. Final official CentOS fix is expected soon
It can be installed this way:

wget http://dev.centos.org/centos/5/CentOS-Testing.repo -O
/etc/yum.repos.d/CentOS-Testing.repo
yum --enablerepo=c5-testing update kernel\*

Latest official CentOS kernel is now available: http://bugs.centos.org/view.php?id=4518
to update type the command:

yum update kernel*

and restart your server with the command reboot

Comments

  1. Thanks for the heads up! :D

  2. [...] Il est également important que toutes les applications utilisées sur le serveur soit régulièrement mises à jour puisque les hackers ciblent particulièrement les sites Web qui utilisent des applications périmées pour contourner les mesures de sécurité habituelles. J’ai écrit cet article à l’origine sur le blogue d’iWeb, il y est également disponible en anglais. [...]

  3. [...] CVE-2010-3081, this week’s second high-profile local root exploit in the Linux kernel, is compromising machines left and right. Almost all 64-bit machines are affected, and ‘Ac1db1tch3z’ (classy) [...]

  4. I would like to note that for anyone running a sanely configuration the exploit means nothing: hackers will have to be able to run the command remotely ( unless it’s malware that the user has to manually run ) before they magically have root access to your Linux-box.

  5. [...] CVE-2010-3081, this week’s second high-profile local root exploit in the Linux kernel, is compromising machines left and right. Almost all 64-bit machines are affected, and ‘Ac1db1tch3z’ (classy) [...]

  6. Where does it say that this is a remote exploit? All the CVEs say local user….

  7. @nobody It’s a local exploit, however it is being remotely exploited through outdated PHP applications. It is not uncommon on a Web server to find outdated Joomla or Wordpress installations.

  8. Hi,

    I use Ksplice for a rebootless server when it comes to kernel upgrade. It keeps the server running without a reboot after a kernel upgrade. It can be tried for free at ksplice.com

    I run a cron job as root so it keep the kernel up2date and it help me not reboot 15 times(amount of kernel upgrade by CentOS) between January 2009 and February 2010.

    CVE-2010-3081,I hope it doesn’t shutdown any hosting companies out their…

    Regards,

    JB

  9. [...] Piece of mind, thy name is Linux. To be fair, not entirely peaceful and without worries: http://blog.iweb.com/en/2010/09/64bi…fied/5437.html But I agree it’s better than Windows. Now. Until it gets popular. K O’N Reply With [...]

  10. To restart, I used this command : /etc/init.d/sshd restart

    Is it correct?

    Thanks!

  11. I also noticed that US-Cert did not have this incident in their database so I forwarded it to them in hopes that they will have soon.

  12. @Fred: in fact you only restarted your ssh service. You must restart the whole server with the ‘reboot’ command. If you have questions about the update of your server please do not hesitate to open a ticket with technical support.

  13. M. Williams, thanks!

  14. [...] exploit of the vulnerability known as CVE-2010-3081, we saw this exploit aggressively compromising machines, with reports of compromises all over the hosting industry and many machines using our diagnostic [...]

  15. I will kill myself one day with these endless IT problems….

  16. After a cautious browse I believed it was very enlightening. I get pleasure from you spending the time and effort to put this post together. I once more discover myself personally spending way to much time both reading and writing comments.

System Status

Details