New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Xen Exploit
So since I was browsing around and came across this:
http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html
http://lists.xen.org/archives/html/xen-announce/2012-06/msg00003.html
http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html
Anyone else seen this recently?
Comments
@kujoe was patching this I think and had a real pain in the balls over it.
Atleast 5 stable LEB providers I am hosted with (allsimple, inception..) rebooted their nodes today/yesterday and some announced maintenance for tomorrow.
I am wondering if approx 3 non Xen providers reboots today was coincidence or there's issue also with other virtualizations not Xen explicitely.
SecureDragon (@kujoe) has sent out a few emails regarding this. Sounds like he has had a few late ones getting the patch in and working as well.
We grabbed the source RPM from Red Hat and built it -- no issues at all with the reboots. Well, I lie -- someone (me) had something wrong in grub.conf and one node required a second reboot
The problems I experienced were self inflicted. I originally attempted to upgrade Xen itself but could not apply the patch Xen provided so I decided to upgrade to the patched RHEL kernel that @jeff_lfcvps pointed me to. After rebooting into the patched kernel I found that my network bridges were messed up so I removed the new version of Xen and installed the default version by default which is most likely where my problems came from. Throwing no sleep and no internet into the mix just made things worse.
@Kujoe,
The joy of Xen. We are lucky enough that we have KSplice that does some good wonders for helping us keep most everything up to date.
If I have Xen VPSes and I haven't heard from my providers about the need for some downtime to reboot...should I be concerned? o_O
Or maybe they are using KSplice too?
@Syaman, I know some of them utilize KSplice since some of these/us providers have old accounts and are unlocked. The ones that are newer to the Xen game have to restart their nodes to get the kernel updates which is a royal pain sometimes =(.
Do you have a link to the source code off hand? It looks like Oracle took down all of the mirrors.
Actually this is not a xen specific exploit, it affects all 64bit Hypervisors with intel chips (apart from VMware), its just that xen.org released the info and the first patch.
Give it a week OpenVZ and Hyper-v nodes will be dropping like flies due to the lack of patching available, this is a local privilege escalation exploit, meaning it cannot be ran remotely the attacker needs a guest account to start with (Container/DomU)
Same, except for about 14 nodes
So i can use my VPS with and OpenVZ provider to compromise the entire node?
This looks dead serious. Even DoS on older AMDs (as I have) seems serious enough to make me schedule some downtime tonight. Lucky, tho, most guests are 32 bit and those 64 internal and almost all exclusively under my control.
But, as always, if something can go wrong, it will.
Thanks for the thread.
M
Potentially yes, consider that this has been vulnerable since 2006 and no POC that I am aware of is out there yet though so it cant be easy.
I have mixed feeling about these threads, one the one hand its good to get the info to hosts, on the other hand for every 1000 views 10 people will go off and start finding out how to destroy their hosts.
@AnthonySmith yeah, Red Hat confirmed that. http://lwn.net/Alerts/501640/
You can no longer get KSplice for OpenVZ (unless your an existing customer) since the Oracle acquisition.
"Please note: The following kernels are only supported for legacy Ksplice customers prior to the Ksplice acquisition. Ksplice Uptrack is no longer offered for these distributions for new customers. Support for these distributions for existing customers remains unaffected."
Cool, Oracle looks determined to go on the road Microsoft took and more or less abandoned now. Where Bill failed, Oracle has even less chances of success.
Regarding these threads being bad, I am sure the interested ppl find out the minute it is out some place, they dont come to LET to check for exploits, me neither, but it does help raise awareness, even for ppl which have no idea what we are talking about, keep your OS up to date cant be wrong (usually).
M
I was hoping for the source code for 0.9.9 since I refuse to pay $2999/year (per node?).
Jesus Christ...
M
http://packages.debian.org/source/squeeze/admin/ksplice