KernelCare Extra Patchset option not showing in WHM > Security Advisor
I saw the option to install the free patch set on one of my servers in the Security Advisor window on WHM and went ahead and "clicked the button" that did that - it all seemed to be easy as, and smooth and the Security Advisor now states "You are Protected by KernelCare's Free Symlink Protection." :)
However, on my other servers - I don't see the option to install it - there's nothing mentioned in the in the Security Advisor window, just the usual "Kernel does not support the prevention of symlink ownership attacks.You do not appear to have any symlink protection enabled through a properly patched kernel on this server"
All servers are running the same kernel, OS and WHM version. What gives? :(
-
Hi @WorkinOnIt That's unusual, all servers that are on v70+ should have it. I know you did mention they were all on the same cPanel version, OS and kernel but could you run the following on the server with the patch and the server without: uname -r rpm -qa |grep kernel kcarectl --patch-info cat /usr/local/cpanel/version cat /etc/redhat-release
Thanks!0 -
Server with patch installed; [test@1 ~]$ uname -r 3.10.0-862.3.2.el7.x86_64 [test@1 ~]$ rpm -qa |grep kernel kernel-tools-libs-3.10.0-862.3.2.el7.x86_64 kernel-tools-3.10.0-862.3.2.el7.x86_64 kernel-3.10.0-693.21.1.el7.x86_64 kernel-headers-3.10.0-862.3.2.el7.x86_64 kernel-3.10.0-693.17.1.el7.x86_64 kernelcare-2.14-6.x86_64 kernel-3.10.0-862.2.3.el7.x86_64 kernel-3.10.0-862.3.2.el7.x86_64 kernel-3.10.0-693.11.1.el7.x86_64 [test@1 ~]$ sudo kcarectl --patch-info OS: centos7 kernel: kernel-3.10.0-862.3.2.el7 time: 2018-05-24 04:36:53 kpatch-name: 3.10.0/symlink-protection-ge-862.patch kpatch-description: symlink protection kpatch-kernel: kernel-3.10.0-514.el7 kpatch-cve: N/A kpatch-cvss: N/A kpatch-cve-url: N/A kpatch-patch-url: Gerrit Code Review kpatch-name: 3.10.0/symlink-protection-ge-862.kpatch-1.patch kpatch-description: symlink protection (kpatch adaptation) kpatch-kernel: kernel-3.10.0-514.el7 kpatch-cve: N/A kpatch-cvss: N/A kpatch-cve-url: N/A kpatch-patch-url: Gerrit Code Review [test@1 ~]$ cat /usr/local/cpanel/version 11.70.0.44 [test@1 ~]$ cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core)
Second server without the button showing.[test@server2 ~]$ uname -r 3.10.0-862.3.2.el7.x86_64 [test@server2 ~]$ rpm -qa |grep kernel kernel-3.10.0-862.3.2.el7.x86_64 kernelcare-2.14-6.x86_64 kernel-3.10.0-693.11.1.el7.x86_64 kernel-3.10.0-693.21.1.el7.x86_64 kernel-headers-3.10.0-862.3.2.el7.x86_64 kernel-tools-libs-3.10.0-862.3.2.el7.x86_64 kernel-3.10.0-693.17.1.el7.x86_64 kernel-tools-3.10.0-862.3.2.el7.x86_64 kernel-3.10.0-862.2.3.el7.x86_64 [test@server2 ~]$ sudo kcarectl --patch-info OS: centos7 kernel: kernel-3.10.0-862.3.2.el7 time: 2018-05-24 04:36:53 kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch kpatch-description: Restrict access to pagemap/kpageflags/kpagecount kpatch-kernel: kpatch-cve: kpatch-cvss: kpatch-cve-url: Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges kpatch-patch-url: uname: 3.10.0-862.3.2.el7 [test@server2 ~]$ cat /usr/local/cpanel/version 11.70.0.44 [test@server2 ~]$ cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core)0 -
Hi @WorkinOnIt Thank you for providing all of that information. The big difference I see here is the patch info. On the server without the option you have an entirely different patch coming up: [test@server2 ~]$ sudo kcarectl --patch-info OS: centos7 kernel: kernel-3.10.0-862.3.2.el7 time: 2018-05-24 04:36:53 kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch kpatch-description: Restrict access to pagemap/kpageflags/kpagecount kpatch-kernel: kpatch-cve: kpatch-cvss: kpatch-cve-url: Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges kpatch-patch-url:
Is this something that you remember installing? Thanks!0 -
Yes, I saw that discrepancy too - but I don't remember installing any patches. I'm not even sure what the proc-restrict-pagemap-access.patch actually does! What's the best way forward here? 0 -
@WorkinOnIt I'm going to research this patch and see if I can replicate the issue you're experiencing as well as look for a potential workaround. I'll update you again once I've got some more information. 0 -
Hi @WorkinOnIt Can you please run the following on the server that isn't showing the symlink protection patch? usr/bin/kcarectl --info /usr/bin/kcarectl --license-info
That patch also came with the following: KernelCare Directory I'm wondering if you have the full kernelcare version on this server and because of that patch you're not getting the notification somehow0 -
Hi @cPanelLauren I ran the above command and it says : "You have a trial license for the IP 12.34.56.78 that will expire on 2018-05-30" kpatch-state: patch is applied kpatch-for: Linux version 3.10.0-862.3.2.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Mon May 21 23:36:36 UTC 2018 kpatch-build-time: Wed May 23 21:57:28 2018 kpatch-description: 1-;3.10.0-862.3.2.el7 However, I have not installed Kernel Care on the system - unless that is what got installed along with some update? I'm the only admin on the server, so no-one else could have installed it. Very odd !! Has this been reported by anyone else? What's the best way to remove it and go with the free patch. 0 -
HI @WorkinOnIt When just the patch is applied the kpatch-description line looks like this: kpatch-description: 2-free;
So it does indeed look like you have the full KernelCare service installed. To uninstall it you can follow the instructions provided by CloudLinux here: KernelCare Documentation Then you can install just the free patch from the SecurityAdvisor - There are two KernelCare related notifications that come up when running the security advisor, one is yellow for the full KernelCare product and the other is red for symlink protection only.0
Please sign in to leave a comment.
Comments
8 comments