On 02/22/2013 01:50 PM, Les Mikesell wrote: > On Thu, Feb 21, 2013 at 6:03 PM, Johnny Hughes <johnny@xxxxxxxxxx> wrote: >> This issue is not CentOS specific ... here is another discussion: >> >> http://www.webhostingtalk.com/showthread.php?t=1235797 >> >> The issue seems to be that someone with local access elevates their >> privileges in some manner, and after they upgrade their privileges they >> are then putting a new libkeyutils*.so file on the machine. > But don't forget that what the kernel people call 'local' access > really means any bug in any network application that lets you execute > an arbitrary command even if it is non-root - and those have > historically been pretty common. Sure .. if you can execute code as a user when you are not supposed to have any access ... then you can elevate privileges by stringing things together after you get the unauthorized access. However, what people are seeing ... in practice today ... is that machines where there are multiple users and which are running control panel software SEEM to be most effected. Does that mean that a single user machine will never be compromised ... of course not. Obviously everyone who has any machines that in any way touch the Internet should be scanning/monitoring their machines for compromise on a routine basis. In my last post, I explained how to find out if you have this kit installed (look at the webhosttalk link from that post). Remember that the library files that are being put on the machines are not installed via an RPM but copied on as files ... and that only kernel branches > 3.4.32 (in the LTS branch), > 3.7.7 and > 3.8rc6 have had the patches applied. That means IF (and that is a big if) this is the input vector, then all Linux machines (not just CentOS or RHEL) with kernels older than those are susceptible to this issue.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos