New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
If you're on Linux kernel 5.8 or above and have non-root users, patch your kernel ASAP
Linux has yet another high-severity vulnerability that makes it easy for untrusted users to execute code capable of carrying out a host of malicious actions including installing backdoors, creating unauthorized user accounts, and modifying scripts or binaries used by privileged services or apps.
Dirty Pipe, as the vulnerability has been named, is among the most serious Linux threats to be disclosed since 2016, the year another high-severity and easy-to-exploit Linux flaw (named Dirty Cow) came to light as it was being used to hack a researcher's server.
More technical details: https://dirtypipe.cm4all.com/
Comments
what about openvz , lxc ?
The kernel used by OpenVZ is very old (3.10 for OpenVZ7 and 2.6.32 for OpenVZ6), all containers share that kernel version, and I don't think RHEL backported this change to older kernels, so it should be safe. Yay for outdated software I guess. 🤣
ah right. i misread as 5.8 and below.
so latest LXC with 5.11 will be at risk.
I edited the title to clarify.
Right. Sorry, I just saw you edited your first comment to mention LXC too.
Ubuntu is triaging, patch for RHEL 8 is to be released, Debian published patched version for Bullseye.
Ahh, and that's why you stick with centos 7, kernel 3.10
So with your logic we should switch back to windows xp/98
No that's EOL. Centos 7 goes EOL 2024, with extended life time being 2029
centos 6 still has June 30, 2024 extended EOL https://endoflife.software/operating-systems/linux/red-hat-enterprise-linux-rhel
So why is Ubuntu so far behind? Weren't they already informed at the end of February to prepare an update?
Windows XP is great, don't knock it . But seriously why would you use Win XP when Win 3.11 can fit on a floppy disk
True, you don't want to be in Extended Lifecycle though ...
That's why I keep my servers login strictly from my home IP. AllowUsers username@myip
The Internet is a jungle!
You are not going to pay for Extended EOL for sure.
Actually it's really not just non-root sessions and my thread title is still a bit silly... If you have PHP (for example) and executing commands is enabled (for example, proc_open or exec), the hole would be exploitable through that by anyone that can create PHP files on the system.
Its completely underrated (yet) than Log4j. Android is effected too. Though I doubt that many device running 5.8 or higher. Usually it's those users who recently moved to RHEL 8 and downstream and Bullseye people.
Kernel 3.10 has so many missing features though. It's way too old.
You also miss out on performance improvements. The 5.x series has had multiple performance improvements for Ryzen CPUs.
Don't worry, Boomer will keep the EOL'ed system running well past 2029.
"Not gonna upgrade, what are you expecting on a $3.50/year service?"
Like what? Wireguard kernel module? I've already installed that on the 3.10 kernel and as a result you can run your openvz box with kernel Wireguard support
and probably a bunch more I'm forgetting.
Dont need to. Check this badass fresh installed without updates :
i tested debian with 5.10 and ubuntu with 5.13 and they go to sh1t
Did you try it with a different setuid binary other than
su
?yes i tried around 10. Only 1 was working but it did not gave root.
Those are same as user had before hijacking.
Oopsie (yet again).
But don't worry because -> "linux is sakkure!!!"
Slackware patched this one with 5.15.27 kernel update, Also Debian with 5.10.0-12-amd64 #1 SMP Debian 5.10.103-1. I suggest update and restart those who are on debian 5.10.0-10-amd64 or below.