On Sep 25th, security researcher Qualys disclosed a new Linux Kernel vulnerability dubbed Mutagen Astronomy (CVE-2018-14634) that allows attackers to gain administrator (root) privileges in unpatched Linux servers.
Here at Bobcares.com, we maintain servers of web hosts and other online businesses as part of our Server Management Services. In this service we detect emerging threats and proactively patch the servers to prevent security exploits.
As of this writing, there are no easy patches for this vulnerability.
However, we’ve used interim mitigation steps to prevent Mutagen Astronomy exploits until updated kernel packages are available.
64-bit servers with 32 GB or more RAM is vulnerable
The proof of concept exploits released by security researchers show that the server should have a 64-bit CPU has needs at least 32 GB of RAM for the exploit to be successful.
Since a vast majority of websites run on lower spec servers, this is not a concern for them.
However, we’ve seen that larger service providers such as Cloud hosts, VPS hosts, Shared hosts and SaaS owners are at risk.
Since this vulnerability is in the Linux Kernel, any vendor that has not applied the patch is vulnerable.
So far, we are aware of vulnerable Kernels in:
- RHEL 6 and 7
- CentOS 6 and 7
- Debian Jessie
- Ubuntu 14.04 LTS and 12.04 ESM
Fixing Mutagen Astronomy bug in RedHat & CentOS
Updated RHEL 7 kernels are released
RedHat released the patched Kernel for RHEL 7, and it can be applied via:
#yum update kernel
or
#yum update
However, patches are not yet available for RHEL 6.
Patching CentOS 6 and 7
These updated kernel packages are not yet available for CentOS, and need to be patched manually.
RedHat developers proposed a patch script using SystemTap (a kernel probing framework).
There are 3 steps involved in this:
- Install SystemTap using the command
yum install systemtap systemtap-runtime - Create a file MutagenAstronomyFix.stp with this content:
-
// CVE-2018-14634 // // Theory of operations: adjust the thread's # rlimit-in-effect around // calls to the vulnerable get_arg_page() function so as to encompass // the newly required _STK_LIM / 4 * 3 maximum. // Complication: the rlimit is stored in a current-> structure that // is shared across the threads of the process. They may concurrently // invoke this operation. function clamp_stack_rlim_cur:long () %{ struct rlimit *rlim = current->signal->rlim; unsigned long rlim_cur = READ_ONCE(rlim[RLIMIT_STACK].rlim_cur); unsigned long limit = _STK_LIM / 4 * 3; limit *= 4; // multiply it back up, to the scale used by rlim_cur if (rlim_cur > limit) { WRITE_ONCE(rlim[RLIMIT_STACK].rlim_cur, limit); STAP_RETURN(limit); } else STAP_RETURN(0); %} probe kernel.function("copy_strings").call { l = clamp_stack_rlim_cur() if (l) printf("lowered process %s(%d) STACK rlim_cur to %p\n", execname(), pid(), l) } probe begin { printf("CVE-2018-14634 mitigation loaded\n") } probe end { printf("CVE-2018-14634 mitigation unloaded\n") }
-
- Execute the SystemTap script with the command
stap -g MutagenAstronomyFix.stp
This work around may not work well in all servers, as it depends on what kernel it runs.
So, if you get an error or are not sure about how to apply this patch, click here to contact our Linux experts. We are online 24/7.
Ubuntu & Debian fixes
Debian’s latest version, Debian 9 (aka Stretch) is already protected from this vulnerability.
However if you are not sure you’ve applied the packages, perform an update with apt-get update
Older stable version Debian 8 (aka Jessie) does not yet have a patched kernel [1].
Similarly, Ubuntu is also yet to release a patch for its 14.04 LTS and 12.04 ESM versions.
We’ll update this post as this situation develops.
Need emergency support?
If you suspect your server might be hacked, or if you feel it is at risk, click here to talk to our security experts.
We are online 24/7 and can perform a quick audit of your server, and take mitigation steps to prevent an exploit.
0 Comments