A critical vulnerability in the Linux kernel was announced on Jan. 14, 2016, by security researchers at Perception Point. The vulnerability has existed since 2012, and is present in all devices running version 3.8 of the Linux kernel and higher.
The Linux kernel above version 3.8 is affected by CVE-2016-0728, including computers, servers, and mobile devices using the following operating systems:
A patch for the Linux kernel is available now and may already have been applied to managed servers. Google, which still is investigating the vulnerability on Android devices and believes the scope may be overstated, has issued a patch to its partners.
On a server running a version of the Linux kernel above 3.8, a user with any level of access could exploit the vulnerability to execute code as root. The researchers noted that a malicious app on an Android device could do the same thing, although possibly with more difficulty.
The researchers found that a reference leak in the mechanism that encrypts and stores credentials and other security data for use by applications can be used in what’s referred to as a “use after free” exploit.
At this time, neither the researchers who discovered the vulnerability nor Red Hat have detected any sign of the vulnerability currently being exploited in the wild.
If the Linux kernel on your server already has been patched due to proactive measures by your web host or a service such as KernelCare, the changelog will include reference to CVE-2016-0728.
Many managed servers are equipped with KernelCare. To check whether the patch already has been applied, run this command:
kcarectl --patch-info | grep CVE-2016-0728
That should produce output similar to the following:
kcarectl --patch-info | grep CVE-2016-0728
kpatch-cve: CVE-2016-0728
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2016-0728
A server which does not have KernelCare installed will output “command not found” when running the “kcarectl” command above. If that is the case, then you will need to check the kernel changelog for a reference to the CVE to know whether it’s been patched. On a CentOS or Red Hat server that does nothave KernelCare, you can check with the command:
rpm -qa --changelog kernel|grep CVE-2016-0728
To apply the patch, you will need to update the kernel and reboot the server for the patch to be applied.
If you need any assistance or prefer to schedule the server’s reboot for a specific time, please do not hesitate to contact TheNOCMan Support.
Powered by WHMCompleteSolution