Thursday, February 21, 2008

Kernel Upgrade

I've done the following (copy/paste):

root@slackbox:~/kernel-patches# ls
kernel-generic-2.6.21.5-i486-2_slack12.0.tgz
kernel-generic-smp-2.6.21.5_smp-i686-2_slack12.0.tgz
kernel-huge-2.6.21.5-i486-2_slack12.0.tgz
kernel-huge-smp-2.6.21.5_smp-i686-2_slack12.0.tgz
root@slackbox:~/kernel-patches# md5sum kernel-*
ebf025aa30af925ac6817fe58811e921 kernel-generic-2.6.21.5-i486-2_slack12.0.tgz
e35c66f2d765a221b509f1b7b463c9fe kernel-generic-smp-2.6.21.5_smp-i686-2_slack12.0.tgz
3f9e3783dd7d799a277ec3e79e8bb82d kernel-huge-2.6.21.5-i486-2_slack12.0.tgz
0503193191731bba693ed6ce35b8c26d kernel-huge-smp-2.6.21.5_smp-i686-2_slack12.0.tgz
root@slackbox:~/kernel-patches#
root@slackbox:~/kernel-patches#
root@slackbox:~/kernel-patches#
root@slackbox:~/kernel-patches# upgradepkg kernel-generic-2.6.21.5-i486-2_slack12.0.tgz

+==============================================================================
| Upgrading kernel-generic-2.6.21.5-i486-2 package using ./kernel-generic-2.6.21.5-i486-2_slack12.0.tgz
+==============================================================================

Pre-installing package kernel-generic-2.6.21.5-i486-2_slack12.0...

Removing package /var/log/packages/kernel-generic-2.6.21.5-i486-2-upgraded-2008-02-21,19:59:56...

Installing package kernel-generic-2.6.21.5-i486-2_slack12.0...
PACKAGE DESCRIPTION:
kernel-generic: kernel-generic (a general purpose single processor Linux kernel)
kernel-generic:
kernel-generic: This is a Linux kernel with built-in support for most IDE controllers.
kernel-generic: For filesystem support, or if you need to load support for a SCSI or
kernel-generic: other controller, then you'll need to load one or more kernel modules
kernel-generic: using an initial ramdisk, or initrd. For more information about
kernel-generic: creating an initrd, see the README.initrd file in the /boot directory.
kernel-generic:
Executing install script for kernel-generic-2.6.21.5-i486-2_slack12.0...

Package kernel-generic-2.6.21.5-i486-2 upgraded with new package ./kernel-generic-2.6.21.5-i486-2_slack12.0.tgz.

root@slackbox:~/kernel-patches# upgradepkg kernel-generic-smp-2.6.21.5_smp-i686-2_slack12.0.tgz

+==============================================================================
| Upgrading kernel-generic-smp-2.6.21.5_smp-i686-2 package using ./kernel-generic-smp-2.6.21.5_smp-i686-2_slack12.0.tgz
+==============================================================================

Pre-installing package kernel-generic-smp-2.6.21.5_smp-i686-2_slack12.0...

Removing package /var/log/packages/kernel-generic-smp-2.6.21.5_smp-i686-2-upgraded-2008-02-21,20:01:00...

Installing package kernel-generic-smp-2.6.21.5_smp-i686-2_slack12.0...
PACKAGE DESCRIPTION:
kernel-generic-smp: kernel-generic-smp (a general purpose SMP Linux kernel)
kernel-generic-smp:
kernel-generic-smp: This is a Linux kernel with built-in support for most disk
kernel-generic-smp: controllers. To use filesystems, or to load support for a SCSI or
kernel-generic-smp: other controller, then you'll need to load one or more kernel
kernel-generic-smp: modules using an initial ramdisk, or initrd. For more information
kernel-generic-smp: about creating an initrd, see the README.initrd file in the /boot
kernel-generic-smp: directory.
kernel-generic-smp:
kernel-generic-smp: SMP is "Symmetric multiprocessing", or multiple CPU/core support.
kernel-generic-smp:
Executing install script for kernel-generic-smp-2.6.21.5_smp-i686-2_slack12.0...

Package kernel-generic-smp-2.6.21.5_smp-i686-2 upgraded with new package ./kernel-generic-smp-2.6.21.5_smp-i686-2_slack12.0.tgz.

root@slackbox:~/kernel-patches# upgradepkg kernel-huge-2.6.21.5-i486-2_slack12.0.tgz

+==============================================================================
| Upgrading kernel-huge-2.6.21.5-i486-2 package using ./kernel-huge-2.6.21.5-i486-2_slack12.0.tgz
+==============================================================================

Pre-installing package kernel-huge-2.6.21.5-i486-2_slack12.0...

Removing package /var/log/packages/kernel-huge-2.6.21.5-i486-2-upgraded-2008-02-21,20:01:34...

Installing package kernel-huge-2.6.21.5-i486-2_slack12.0...
PACKAGE DESCRIPTION:
kernel-huge: kernel-huge (a fully-loaded single processor Linux kernel)
kernel-huge:
kernel-huge: This is a Linux kernel with built-in support for most disk controllers
kernel-huge: and filesystems. If you're looking for a more stripped down kernel
kernel-huge: (this one contains everything but the kitchen sink ;-), then install
kernel-huge: the kernel-generic from the /boot directory along with an initrd to
kernel-huge: load support for your boot device and filesystem. For instructions
kernel-huge: on the initrd, see README.initrd in the /boot directory.
kernel-huge:
Executing install script for kernel-huge-2.6.21.5-i486-2_slack12.0...

Package kernel-huge-2.6.21.5-i486-2 upgraded with new package ./kernel-huge-2.6.21.5-i486-2_slack12.0.tgz.

root@slackbox:~/kernel-patches# upgradepkg kernel-huge-smp-2.6.21.5_smp-i686-2_slack12.0.tgz

+==============================================================================
| Upgrading kernel-huge-smp-2.6.21.5_smp-i686-2 package using ./kernel-huge-smp-2.6.21.5_smp-i686-2_slack12.0.tgz
+==============================================================================

Pre-installing package kernel-huge-smp-2.6.21.5_smp-i686-2_slack12.0...

Removing package /var/log/packages/kernel-huge-smp-2.6.21.5_smp-i686-2-upgraded-2008-02-21,20:02:13...

Installing package kernel-huge-smp-2.6.21.5_smp-i686-2_slack12.0...
PACKAGE DESCRIPTION:
kernel-huge-smp: kernel-huge-smp (a fully-loaded SMP Linux kernel)
kernel-huge-smp:
kernel-huge-smp: This is a Linux kernel with built-in support for most disk
kernel-huge-smp: controllers. If you're looking for a more stripped down kernel
kernel-huge-smp: (this one contains everything but the kitchen sink ;-), then install
kernel-huge-smp: the kernel-generic-smp in the /boot directory along with an initrd to
kernel-huge-smp: load support for your boot device and filesystem. For instructions
kernel-huge-smp: on the initrd, see README.initrd in the /boot directory.
kernel-huge-smp:
kernel-huge-smp: SMP is "Symmetric multiprocessing", or multiple CPU/core support.
kernel-huge-smp:
Executing install script for kernel-huge-smp-2.6.21.5_smp-i686-2_slack12.0...

Package kernel-huge-smp-2.6.21.5_smp-i686-2 upgraded with new package ./kernel-huge-smp-2.6.21.5_smp-i686-2_slack12.0.tgz.

root@slackbox:~/kernel-patches#

root@slackbox:~/kernel-patches# lilo
Fatal: VolumeID read error: sector 0 of /dev/sda not readable

OUCH!

I read this: http://unixadmintalk.com/f11/lilo-fails-dev-sda-not-readable-65533/

It appears to help:

root@slackbox:~/kernel-patches# lilo
Warning: bypassing VolumeID scan of drive flagged INACCESSIBLE: /dev/sda
Warning: The boot sector and map file are on different disks.
Added Windows *
Added Linux
2 warnings were issued.

Will reboot then test to see if this upgraded kernel is still vulnerable...

Sunday, February 17, 2008

Kernel vulnerabilities affecting Linux machines

Whenever there's some kernel-level vulnerability, it seems that the whole community goes ape-crap over something that should be a no-brainer.

The recent vulnerability is documented here:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0010
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0600

So, what's the big deal? It is a locally exploitable vulnerability. Everyone is acting like its the end of the world. Why? Are people actually giving people access to their systems that they don't trust? Why am I not worried? Because I want to learn things about security. Think about this for a second: in an enterprise environment, you're not going to be able to always apply kernel patches to production machines. You're not always going to be able to test by standing up a development environment. There is not always going to be one distribution used and not every platform will share the same hardware. What's readily apparent is that security should always be applied in layers. This means that no one should be accessing machines on your local network that you can't trust. If someone is not trustworthy, you should always be worrying about what they're doing on the network, instead of only when kernel-level vulnerabilities are discovered.

Does that lessen the responsibility of the system admins? No, but if everyone thought less of patching applications and more as a security administrator, the workload of the system administrator would probably be less. What I'm seeing in chatrooms and forums is this: "Oh shit...this exploit gives local root access...I have to apply this patch NOW!!" Someone said something similar in an IRC channel that I frequent:



SiegeX - I dunno, having a local root exploit (which ive tested with existing code) on a box that runs any sort of service would worry the hell out of me
W|GGL|T - SiegeX: in all actuality, you could have root exploits locally all over the place and you'd not know about it
SiegeX - and I probably do, but its no excuse for not patching the ones I do
W|GGL|T - security is more than just patching....in a corporate scenario, you have to balance out if you can even apply the patch....you bet your ass we're not going to take down a production system that has a localized vulnerability if it is indeed only local
SiegeX - heh, step 1) su root 2) cat /etc/shadow 3) ??? 4) profit
W|GGL|T - its called mitigation
W|GGL|T - if security is applied in layers, certain risks are lessened
SiegeX - W|GGL|T: why wouldnt you apply the patch on a production clone for testing purposes and do regression testing on that to make sure everything is a-ok before moving it over ?
W|GGL|T - SiegeX: if the corporate network has 10 different security layers, the need for immediate patching is small. sure, we'd patch but we'd do it in a sane manner
SiegeX - W|GGL|T: since you're into the corp security let me ask you if there was a solid way for a corp to not allow outbound tunnels while still allowing https?
SiegeX - s/was/is
W|GGL|T - SiegeX: nope, but then again, those who don't follow corporate policy need to be fired
SiegeX - afaik, if you tunnel over https, not even a L7 filter will look at it funny since the connection setup looks legit. Only thing i can think of is traffic analysis
W|GGL|T - there are always checks and balances
W|GGL|T - SiegeX: hrmm....there is IDS
W|GGL|T - and there is also a concept called behavioral analysis



The conversation dies shortly thereafter. I do think SiegeX was thinking in a sane manner. What he's worried about is someone either breaking into the machine or someone from inside tunneling and somehow letting an unauthorized user into the network. Layered security addresses both of those concerns. You lock down your firewall to only allow certain traffic in/out of the network. You set up either an IDS or an IPS to either log suspicious traffic or actively log and block unusual traffic. Yes, IDS/IPS can detect layer-7 traffic anomalies (but only if there are rules patterned after the unwanted traffic). Those people that tunnel out of the corporate network can be either reprimanded or handed their walking papers...that problem can be solved rather quickly.

I take it that SiegeX didn't want to deal with traffic analysis. That's the only way ANYONE is going to see stuff. Think about it. When you look at firewall logs, you're looking at logged traffic. If you're looking at your system logs (for instance, /var/log/secure, /var/log/faillog, or /var/log/messages (which may contain snort log and/or firewall log entries)), you're pretty much conducting traffic analysis. This should be within the realm of every system admin.

The easier way would be to address the kernel vulnerability, but I've also seen places that will NOT update a kernel unless absolutely necessary. The train-of-thought is that they wanted absolute stability and that stability overruled patch updating. What type of organization would think in this manner? Think of organizations that deal in national flight systems.

So, when am I going to apply a patched kernel? I don't know...my LAN is so layered with security that its not a hot priority for me to apply this patch.

Lastly, here's a Secunia link of the vulnerabilities in question: http://secunia.com/advisories/28835/