New kernels, fixed vulnerabilities

August 17, 2009 2:26 pm

We’ve released five new kernels which contain the fix for the recently announced Linux kernel local privilege escalation vulnerability (CVE-2009-2692).  The following kernels are NOT vulnerable:

2.6.18.8-linode19 (Latest 2.6 Stable)
2.6.30.5-linode20
2.6.18.8-x86_64-linode7 (Latest 2.6 Stable – x86_64)
2.6.30.5-x86_64-linode8
2.6.23.17-linode44 (for UML)

Please check the output of “uname -r” from within your Linode.  If you’re not running one of the kernels above (or later) then your Linode may be vulnerable.  In that case, we strongly recommend you choose “Latest 2.6 Stable” (or the non-vulnerable kernel of your choice) in your Linode’s Configuration Profile and reboot the Linode to acquire the change.  Verify you picked up the new kernel by running “uname -r” again after rebooting.

Exploits exist, affecting all versions of the Linux kernel up to and including 2.6.30.4, that allow a normal local user to gain root privileges.  We had mixed results in our testing, but the exploit definitely worked without modification on a couple of our kernels.  We strongly recommend you make sure you’re running one of the kernels listed above (or later).  We also maintain this list of available kernels.

12 Responses

  1. Thanks for the update. Was wondering when this was going to come out. I was scared for a few days.

  2. The 2.6.18.8 series kernels we released last Friday night, but wanted to wait for 2.6.30.5 before making the announcement.

  3. Nice, thanks for the update.

  4. How do I upgrade to the latest kernel if I’m on an old version?

  5. To upgrade, simply reboot, then verify it again with: uname -r

  6. Thanks for informing us about that on your blog.
    I love your service. 🙂

    Have a good day.
    Davide.

  7. Mine says “2.6.18.8-linode16”.

    Would you say this requires update?

    Thanks!

  8. Is 2.6.18.8-linode16 or later in the list above? No. So you’re vulnerable.

  9. Thank you for your continued updates. This is very much appreciated and certainly why Linode LLC is the right choice for our services. Keep up the fantastic support work.

  10. Thanks for the great work! Is this kernel’s source available? I see many kernel sources here: http://linode.com/src/ but not 2.6.23.17-linode44.

    I was hoping to get the right headers so I can compile kernel modules on my Linodes!

  11. @Casey – that’s a UML kernel, which doesn’t support modules in our environment. If you need modules, submit a ticket and we’ll migrate your Linode to a Xen host.

  12. Thanks for the advice! I rarely need to build kernel modules, but it would be nice and I doubt I’d notice the UML/Xen switch otherwise.

Leave a Reply