Kernel Question

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Kernel Question

Unread post by Imaging »

Safe to assume that systems that use the ASL kernel are not impacted by the 'Dirty Cow' escalation (CVE-2016-5195)? Noticed a new ASL kernel out for a 6.x box (3.2.69-82) but not an older 5.x box (still running 3.2.69-81) so was wondering if related or coincidental. Assuming that -81 is fine but figured to ask JIC.

Thanks.
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Kernel Question

Unread post by prupert »

The ASL kernels previous to 3.2.69-82 are vulnerable to CVE-2016-5195.
The 82-release specifically contains the patch that fixes this vulnerability.
Lemonbit Internet Dedicated Server Management
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: Kernel Question

Unread post by Imaging »

prupert:

Thank you.

Scott/Mike:

What's the ETA on the RHEL/CentOS 5.x kernel update?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Kernel Question

Unread post by mikeshinn »

Its in final QA, as an aside, if you put your users in the "untrusted" group, that exploit wont work regardless of what ASL kernel you are using.

http://wiki.atomicorp.com/wiki/index.ph ... STED_USERS

Alternatively, you can switch the logic in ASL to define a trusted group, and then all your users are untrusted by default.

http://wiki.atomicorp.com/wiki/index.ph ... OUP_POLICY

Either way, if you are using that feature, even if the kernel is not patched for this they wont be able to run the exploit on your system. In general, I recommend you use TPE, because its entire focus is to prevent users from uploading code and running it on your system. Web users shouldnt be uploading binaries anyway, so its impact on web users should be very minimal (and you can always tell the system to trust either that user, or just the app they uploaded). This will protect you from future vulnerabilities, regardless of the state of the kernel. If they cant run the exploit, its moot.
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: Kernel Question

Unread post by Imaging »

Thanks for the update.
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Kernel Question

Unread post by prupert »

Kernel 3.2.69-82 is now available for EL5 platforms
Lemonbit Internet Dedicated Server Management
Post Reply