Hi Michael, > OpenVZ Kernel jockies... > > Anyone like to comment on if they think this could be exploited from a > guest VM to execute code on the host node? > > CVE-2009-2692
I tested it on Friday with the exploit from Brad Spengler, which is mentioned on this page: http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html The exploit allows an unprivileged user to gain root access. However: The exploit (as is) *only* works on the master node. NOT inside a VE. Somehow the virtualization already takes care of it and prevents it when someone runs it inside a VE. Those were my findings when I tested it on CentOS4 and CentOS5 master nodes with CentOS4 and CentOS5 VEs. Didn't test any other distributions, as they're of next to no importance to my clients. So as long as no untrusted user has local access to the master node (or somehow manages to break out of a VE) you should be fine. I was using the latest stable OpenVZ kernels at the time of the testing (and 2-3 older ones on internal devel boxes that hadn't been updated). My kernels are just rebuilds from the OpenVZ SRPMs with different naming (not "ovzkernel", but back to "kernel"). The rest is "stock". I already rolled up updated OpenVZ kernels for CentOS5 with the patch that Linus Torvalds posted on Friday: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98 A patched one for straight CentOS5 - *without* the OpenVZ stuff! - can be found here: http://mirror.blueonyx.it/pub/BlueOnyx/5106R/CentOS5/blueonyx/testing/RPMS/ FWIW: The RedHat 2.6.18-128.4.1.el5 SRPM has about 8-10 patches which the OpenVZ 2.6.18-128.2.1 kernel is missing.I started looking up the CVE numbers to see what the missing patches were for (if the CVE numbers were given in the changelog), but it didn't appear to be anything overly worrysome. > This seems pretty serious and exploits are in the wild. Yeah, if you're running an unvirtualized Linux you should be worried. If you're running CentOS, then especially so. It just took them 9 days to release a GLIBC update and the other "important" kernel and bind updates before that were also so late that it was nothing to write home about. I wonder how long it'll take them this time to rebuild the RedHat kernel SRPM and release it <sigh>. It's no longer funny what they do. -- With best regards Michael Stauber --> http://www.aventurin.net ----> http://www.blueonyx.it _______________________________________________ Users mailing list Users@openvz.org https://openvz.org/mailman/listinfo/users