OverviewA critical vulnerability in the Linux kernel was announced on Jan. 14, 2016, by security researchers at Perception Point. The vulnerability has existed since 2012, and is present in all devices running version 3.8 of the Linux kernel and higher.
ImpactThe Linux kernel above version 3.8 is affected by CVE-2016-0728, including computers, servers, and mobile devices using the following operating systems:
- Red Hat Enterprise Linux 7
- CentOS Linux 7
- Scientific Linux 7
- Debian Linux stable 8.x (jessie), and testing 9.x (stretch)
- SUSE Linux Enterprise Desktop, Server and Workstation Extension 12 and 12 SP1
- Ubuntu Linux 14.04 LTS (Trusty Tahr), 15.04 (Vivid Vervet), and 15.10 (Wily Werewolf)
- Opensuse Linux LEAP 42.x and version 13.x
- Oracle Linux 7
- Devices running an Android version below 4.4 (KitKat)
SummaryOn a server running a version of the Linux kernel above 3.8, a user with any level of access could exploit the vulnerability to execute code as root. The researchers noted that a malicious app on an Android device could do the same thing, although possibly with more difficulty. The researchers found that a reference leak in the mechanism that encrypts and stores credentials and other security data for use by applications can be used in what’s referred to as a “use after free” exploit. At this time, neither the researchers who discovered the vulnerability nor Red Hat have detected any sign of the vulnerability currently being exploited in the wild.
Is Your Server Affected?If the Linux kernel on your server already has been patched due to proactive measures by your web host or a service such as KernelCare, the changelog will include reference to CVE-2016-0728.
Servers equipped with KernelCareMany managed Liquid Web servers are equipped with KernelCare. To check whether the patch already has been applied, run this command:
kcarectl --patch-info | grep CVE-2016-0728That should produce output similar to the following:
kcarectl --patch-info | grep CVE-2016-0728 kpatch-cve: CVE-2016-0728 kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2016-0728
Servers without KernelCareA server which does not have KernelCare installed will output “command not found” when running the “kcarectl” command above. If that is the case, then you will need to check the kernel changelog for a reference to the CVE to know whether it’s been patched. On a CentOS or Red Hat server that does not have KernelCare, you can check with the command:
rpm -qa --changelog kernel|grep CVE-2016-0728
Note that servers with KernelCare will not display any output using the above command. As long as the expected output is present following the first command, the kernel has been patched.
ResolutionTo apply the patch, you will need to update the kernel and reboot the server for the patch to be applied. You can use the instructions in our Knowledge Base to update the kernel on CentOS and Red Hat servers, and you can follow these instructions to reboot your server following the update.
Note: Your server will need to be rebooted following the kernel update in order for the patch to be applied.If you need any assistance or prefer to schedule the server’s reboot for a specific time, please do not hesitate to contact Heroic Support®.