On 02/21/2013 05:32 PM, Gilbert Sebenste wrote: > Hello everyone, > > I hope you are having a good day. However, I am concerned by this: > > https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229 > > Has anyone heard yet what the attack vector is, if 5.9 and 6.4 are > affected, and if a patch is coming out? > This issue is not CentOS specific ... here is another discussion: http://www.webhostingtalk.com/showthread.php?t=1235797 The issue seems to be that someone with local access elevates their privileges in some manner, and after they upgrade their privileges they are then putting a new libkeyutils*.so file on the machine. There is some talk that this vector might be this issue: https://bugzilla.redhat.com/show_bug.cgi?id=911937 It is not yet known that this is the issue being used ... just speculation at this point. There is a 3.4.32 kernel in our Xen4 for CentOS6 testing repo that has the patches rolled in for CVE-2013-0871. 3.4.32 is MUCH newer than the standard EL6 kernel and I am not recommending that people use this kernel in production without lots of testing ... and there should be a distro kernel out to address CVE-2013-0871 soon since it is a priority upstream. Here is a link where you can get that 3.4.32 kernel (x86_64 only) if you want to test it: http://dev.centos.org/centos/6/xen-c6/x86_64/RPMS/ No one really knows what the vector currently is but there are methods to scan for and fix the issue in the webhostingtalk thread above. Since the current thought on this issue is that it requires local access ... the machines one needs to be very weary of are ones where many people have non root access and might want to try to gain unauthorized root ... like a shared web hosting machine. When we know more, we will post it here, Thanks, Johnny Hughes
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
