Select Page

How to fix Mutagen Astronomy vulnerability (CVE-2018-14634 bug) in RedHat, CentOS, Debian & Ubuntu servers

On Sep 25th, security researcher Qualys disclosed a new Linux Kernel vulnerability dubbed Mutagen Astronomy (CVE-2018-14634) that allows attackers to gain administrator (root) privileges in unpatched Linux servers.

Here at Bobcares.com, we maintain servers of web hosts and other online businesses as part of our Server Management Services. In this service we detect emerging threats and proactively patch the servers to prevent security exploits.

As of this writing, there are no easy patches for this vulnerability.

However, we’ve used interim mitigation steps to prevent Mutagen Astronomy exploits until updated kernel packages are available.

 

64-bit servers with 32 GB or more RAM is vulnerable

The proof of concept exploits released by security researchers show that the server should have a 64-bit CPU has needs at least 32 GB of RAM for the exploit to be successful.

Since a vast majority of websites run on lower spec servers, this is not a concern for them.

However, we’ve seen that larger service providers such as Cloud hosts, VPS hosts, Shared hosts and SaaS owners are at risk.

Since this vulnerability is in the Linux Kernel, any vendor that has not applied the patch is vulnerable.

So far, we are aware of vulnerable Kernels in:

  • RHEL 6 and 7
  • CentOS 6 and 7
  • Debian Jessie
  • Ubuntu 14.04 LTS and 12.04 ESM

 

Fixing Mutagen Astronomy bug in RedHat & CentOS

Updated RHEL 7 kernels are released

RedHat released the patched Kernel for RHEL 7, and it can be applied via:

#yum update kernel

or

#yum update

However, patches are not yet available for RHEL 6.

 

Patching CentOS 6 and 7

These updated kernel packages are not yet available for CentOS, and need to be patched manually.

RedHat developers proposed a patch script using SystemTap (a kernel probing framework).

There are 3 steps involved in this:

  1. Install SystemTap using the command yum install systemtap systemtap-runtime
  2. Create a file MutagenAstronomyFix.stp with this content:
    • // CVE-2018-14634
      //
      // Theory of operations: adjust the thread's # rlimit-in-effect around
      // calls to the vulnerable get_arg_page() function so as to encompass
      // the newly required _STK_LIM / 4 * 3 maximum.
      
      // Complication: the rlimit is stored in a current-> structure that
      // is shared across the threads of the process. They may concurrently
      // invoke this operation.
      
      function clamp_stack_rlim_cur:long ()
      %{
        struct rlimit *rlim = current->signal->rlim;
        unsigned long rlim_cur = READ_ONCE(rlim[RLIMIT_STACK].rlim_cur);
      
        unsigned long limit = _STK_LIM / 4 * 3;
        limit *= 4; // multiply it back up, to the scale used by rlim_cur
      
        if (rlim_cur > limit) {
          WRITE_ONCE(rlim[RLIMIT_STACK].rlim_cur, limit);
          STAP_RETURN(limit);
        } else
          STAP_RETURN(0);
      %}
      
      probe kernel.function("copy_strings").call
      {
        l = clamp_stack_rlim_cur()
         if (l)
           printf("lowered process %s(%d) STACK rlim_cur to %p\n",
                  execname(), pid(), l)
      }
      
      probe begin {
      printf("CVE-2018-14634 mitigation loaded\n")
      
      }
      
      probe end {
      printf("CVE-2018-14634 mitigation unloaded\n")
      }
      
  3. Execute the SystemTap script with the command stap -g MutagenAstronomyFix.stp

 

This work around may not work well in all servers, as it depends on what kernel it runs.

So, if you get an error or are not sure about how to apply this patch, click here to contact our Linux experts. We are online 24/7.

 

Ubuntu & Debian fixes

Debian’s latest version, Debian 9 (aka Stretch) is already protected from this vulnerability.

However if you are not sure you’ve applied the packages, perform an update with apt-get update

Older stable version Debian 8 (aka Jessie) does not yet have a patched kernel [1].

Similarly, Ubuntu is also yet to release a patch for its 14.04 LTS and 12.04 ESM versions.

We’ll update this post as this situation develops.

 

Need emergency support?

If you suspect your server might be hacked, or if you feel it is at risk, click here to talk to our security experts.

We are online 24/7 and can perform a quick audit of your server, and take mitigation steps to prevent an exploit.

 


Your server could be at risk!

Don't panic! We will secure your server from Mutagen Astronomy exploits.

CLICK NOW TO PROTECT YOUR SERVER


Submit a Comment

Your email address will not be published. Required fields are marked *

Bobcares
Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.
MORE ABOUT BOBCARES