OVHcloud Bare Metal Cloud Status
Current status
Legend
- Operational
- Degraded performance
- Partial Outage
- Major Outage
- Under maintenance
FS#8636 — Local Linux root exploit 2.6.37 - 3..8.8
Incident
Report for Bare Metal Cloud
Resolved
A root exploit has just been published.
While we have not been able to exploit this vulnerability
on a GRSEC kernel, it could cause servers to crash under certain conditions.
We released the 3.8.13 kernel today.
All OVH kernel distributions are now delivered
with the latest Linux kernel.
If your server uses NetBoot, you can simply reboot it.
If not, you can install the new kernel manually by clicking here:
[GRS] ftp://ftp.ovh.net/made-in-ovh/bzImage/3.8.13/bzImage-3.8.13-xxxx-grs-ipv6-64
[STD] ftp://ftp.ovh.net/made-in-ovh/bzImage/3.8.13/bzImage-3.8.13-xxxx-std-ipv6-64
Or for VMs:
[GRS] ftp://ftp.ovh.net/made-in-ovh/bzImage/3.8.13/bzImage-3.8.13-vps-grs-ipv6-64
[STD] ftp://ftp.ovh.net/made-in-ovh/bzImage/3.8.13/bzImage-3.8.13-vps-std-ipv6-64
In addition to fixing this loophole, the new kernel also brings improved performances,
especially for the network.
Redhat RHEL 6.0 (but not 5.0) has also been affected:
https://bugzilla.redhat.com/show_bug.cgi?id=962792
Almost all distributions have this vulnerability.
*** Mitigation ***
The exploit is no longer functional after changing the kernel.perf_event_paranoid parameter:
# sysctl kernel.perf_event_paranoid=2
However, this does not correct the underlying vulnerability, thus
rebooting the server onto the new kernel ASAP is highly recommended.
Update(s):
Date: 2013-05-16 10:18:28 UTC
During a manual soft reboot, some installations of OVH Release 2 (based on gentoo) are blocking after shutdown instead of restarting. This is due to the devtmpfs still inknown to gentoo scripts. The fix is simple:
sed -i \"s/devfs|tmpfs/devfs|devtmpfs|tmpfs/g\" /etc/init.d/halt.sh
While we have not been able to exploit this vulnerability
on a GRSEC kernel, it could cause servers to crash under certain conditions.
We released the 3.8.13 kernel today.
All OVH kernel distributions are now delivered
with the latest Linux kernel.
If your server uses NetBoot, you can simply reboot it.
If not, you can install the new kernel manually by clicking here:
[GRS] ftp://ftp.ovh.net/made-in-ovh/bzImage/3.8.13/bzImage-3.8.13-xxxx-grs-ipv6-64
[STD] ftp://ftp.ovh.net/made-in-ovh/bzImage/3.8.13/bzImage-3.8.13-xxxx-std-ipv6-64
Or for VMs:
[GRS] ftp://ftp.ovh.net/made-in-ovh/bzImage/3.8.13/bzImage-3.8.13-vps-grs-ipv6-64
[STD] ftp://ftp.ovh.net/made-in-ovh/bzImage/3.8.13/bzImage-3.8.13-vps-std-ipv6-64
In addition to fixing this loophole, the new kernel also brings improved performances,
especially for the network.
Redhat RHEL 6.0 (but not 5.0) has also been affected:
https://bugzilla.redhat.com/show_bug.cgi?id=962792
Almost all distributions have this vulnerability.
*** Mitigation ***
The exploit is no longer functional after changing the kernel.perf_event_paranoid parameter:
# sysctl kernel.perf_event_paranoid=2
However, this does not correct the underlying vulnerability, thus
rebooting the server onto the new kernel ASAP is highly recommended.
Update(s):
Date: 2013-05-16 10:18:28 UTC
During a manual soft reboot, some installations of OVH Release 2 (based on gentoo) are blocking after shutdown instead of restarting. This is due to the devtmpfs still inknown to gentoo scripts. The fix is simple:
sed -i \"s/devfs|tmpfs/devfs|devtmpfs|tmpfs/g\" /etc/init.d/halt.sh