Symlink protection not found after upgrading

rs200

• December 12, 2018 03:25

Hello, i have cPanel installed on a VPS with CentOS 7 Plus. Last week i have installed a Kernelcare license directly from the store of cPanel, following the link on "Security Advisor". After it, i disinstalled mod_ruid2 in order to install mod_http2 and mpm_worker, which is incompatible with mod_ruid2, and everything was ok. Last night after upgrading from 76.0.12 to 76.0.13, cPanel notified me that i have not any protection against symlink race condition attack. Below the output of the license info of kcare and the system. kcarectl --license-info Valid license found for IP XX.XXX.XX.XX
uname -r 3.10.0-327.4.4.el7.centos.plus.x86_64
But Security Advisor notify me this The system kernel is up-to-date at version "3.10.0-862.14.4.el7".
What have i do?

• 

  rs200

  • December 13, 2018 16:00

  I try to answer myself, but i'd like a confirm from someone of cPanel support :) I found a post of Cloudlinux about instructions to install and config the

  0
• 

  dalem

  • December 13, 2018 17:34

  Yes but it should be fs.enforce_symlinksifowner = 1 fs.symlinkown_gid = 99
  

  0
• 

  rs200

  • December 13, 2018 17:52

  Hi dalem and thanks for the reply, i created the file syctl.config under /etc/sysconfig/kcare/ and i added the 2 lines. I run the command sysctl -w fs.enforce_symlinksifowner=1
  but received this error sysctl: cannot stat /proc/sys/fs/enforce_symlinksifowner: No such file or directory
  What's the issue?

  0
• 

  dalem

  • December 13, 2018 18:14

  don't think CL has a patch set for your Kennel yet kcarectl --update an it will tell you unsure if it covers the centos.plus kernel

  0
• 

  cPanelLauren

  • December 17, 2018 19:01

  Hello, I've set up a new server with the same kernel as you and kernelcare but I'm not able to replicate a warning about symlink protection. Can you provide a screenshot or the exact verbiage that is notifying you of an error?

  0
• 

  rs200

  • December 17, 2018 19:31

  Hello, I've set up a new server with the same kernel as you and kernelcare but I'm not able to replicate a warning about symlink protection. Can you provide a screenshot or the exact verbiage that is notifying you of an error?

  
  Hi Lauren and thanks for the response, the error is notified me by "Security Advisor", i report it Kernel does not support the prevention of symlink ownership attacks. You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review the documentation to learn how to apply this protection.
  This happened after cPanel upgranding from 76.0.12 to 76.0.13, before of this everything was OK! And i can't see why "Security Advisor" notify me this The system kernel is up-to-date at version "3.10.0-862.14.4.el7".
  The kernel is not that, but it's 3.10.0-327.4.4.el7.centos.plus.x86_64 However this is the oputup after "kcarectl --update" command Kernel is safe
  I suppose something was wrong after that cPanel upgrading.

  0
• 

  cPanelLauren

  • December 17, 2018 19:41

  Hi @rs200 KernelCare applies patches to your currently installed kernel to patch you up to the most recent version. It looks like KernelCare covers the patch you're on: KernelCare Directory KernelCare Directory I'm running KernelCare on an unsupported kernel and I am still unable to get the error you're receiving. What is the output of the following: kcarectl --info
kcarectl --patch-info
  

  0
• 

  rs200

  • December 17, 2018 20:14

  Hi @rs200 What is the output of the following: kcarectl --info
kcarectl --patch-info
  

  
  Output of "kcarectl --info" command kpatch-state: patch is applied kpatch-for: Linux version 3.10.0-327.4.4.el7.centos.plus.x86_64 (builder@kbuilde r.dev.centos.org) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP W ed Jan 6 00:35:56 UTC 2016 kpatch-build-time: Mon Nov 5 13:02:29 2018 kpatch-description: 240-:1544140428;3.10.0-862.14.4.el7
  Output of "kcarectl --patch-info" command. I reported first lines and last lines, because is too long and forum doesn't me allow to post entirely. OS: centos7-plus kernel: kernel-plus-3.10.0-327.4.4.el7.centos.plus time: 2018-11-07 10:56:31 kpatch-name: 3.10.0/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch kpatch-description: KEYS: Fix keyring ref leak in join_session_keyring() kpatch-kernel: >kernel-3.10.0-327.4.4.el7 kpatch-cve: CVE-2016-0728 kpatch-cvss: 7.2 kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2016-0728 kpatch-patch-url: https://git.kernel.org/linus/23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 kpatch-name: 3.10.0/KEYS-Fix-race-between-key-destruction-and-finding-a-.patch kpatch-description: KEYS: Fix race between key destruction and finding a keyring by name kpatch-kernel: >kernel-3.10.0-229.14.1.el7 kpatch-cve: CVE-2015-7872 kpatch-cvss: 7.2 kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-7872 kpatch-patch-url: http://git.kernel.org/linus/94c4554ba07adbdde396748ee7ae01e86cf2d8d7 kpatch-name: 3.10.0/KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch kpatch-description: KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring kpatch-kernel: >kernel-3.10.0-229.14.1.el7 kpatch-cve: CVE-2015-7872 kpatch-cvss: 7.2 kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-7872 kpatch-patch-url: http://git.kernel.org/linus/f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 kpatch-name: 3.10.0/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch kpatch-description: KEYS: Don't permit request_key() to construct a new keyring kpatch-kernel: >kernel-3.10.0-229.14.1.el7 kpatch-cve: CVE-2015-7872 kpatch-cvss: 7.2 kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-7872 kpatch-patch-url: http://git.kernel.org/linus/911b79cde95c7da0ec02f48105358a36636b7a71 ....... ....... ....... kpatch-name: 3.10.0/x86-kvm-vmx_vcpu_run-wrapper.patch kpatch-description: vmx_vcpu_run wrapper kpatch-kernel: kpatch-cve: kpatch-cvss: kpatch-cve-url: kpatch-patch-url: uname: 3.10.0-862.14.4.el7
  

  0
• 

  baronn

  • December 18, 2018 11:43

  @rs200 this link may help you a little further: Unknown Kernel (CentOS Linux 3.10.0-957.1.3.el7.x86_64)

  0
• 

  cPanelLauren

  • December 18, 2018 12:49

  @rs200 That all looks good, can you please open a ticket using the link in my signature? I'd like to see if we can look further into this with access to the affected system. Once open please update here with the ticket ID so we can check in on it. @baronn while that is an issue it's a completely different kernel version being affected.

  0
• 

  rs200

  • December 18, 2018 16:36

  @rs200 That all looks good, can you please open a ticket using the link in my signature? I'd like to see if we can look further into this with access to the affected system. Once open please update here with the ticket ID so we can check in on it. @baronn while that is an issue it's a completely different kernel version being affected.

  
  Hi Lauren, the ticket id is 10995477

  0
• 

  vacancy

  • December 18, 2018 17:42

  The first kernel of centos 7.6 was not patched by cloudlinux-kernelcare for 15-16 days. I will cancel my kernelcare licenses as soon as possible.

  0
• 

  cPanelLauren

  • December 19, 2018 18:02

  Hi @rs200 I just wanted to update this thread with the status of the ticket.

  • you're running the full kernelcare product which will automatically update your kernel to their most updated version. As mentioned by @vacancy sometimes there can be a gap in between when the kernel is released and when kernelcare patches to support it. That isn't necessarily related to the issue here though.
  • You're running a CentOS-Plus kernel which is considered a custom kernel. While Kernelcare (the full product) supports this KernelCare Symlink Protection (free patch) does not. So you do not have symlink protection on the server.
  • It doesn't seem as though you were getting notified that you didn't have symlink protection but that the kernel itself didn't support it. We did find that the documentation was misleading and we subsequently opened a documentation case to have that resolved
  • The analyst advised you switch to a stock CentOS kernel and provided the following instructions (which I do quite often to test issues on my VPS using the same process)

  In order to revert back, you would need to edit '/etc/yum.repos.d/CentOS-Base.repo'. I suggest making a backup of this file before making any changes to it: cp /etc/yum.repos.d/CentOS-Base.repo{,.orig}
  From there, you will need to make several changes to this file. In particular, the following are the lines that need to change: [22:43:42 server root@10995477 ~]cPs# egrep -e '^\[' -e '^enabled' -e '^exclude' -e '^includepkgs' /etc/yum.repos.d/CentOS-Base.repo [base] exclude=kernel-* grubby-* <<<=== comment this line out [updates] exclude=kernel-* grubby-* <<<=== comment this line out [extras] exclude=kernel-* grubby-* <<<=== comment this line out [centosplus] enabled=1 <<<=== disable this by setting it to 0 exclude= <<<=== comment this line out includepkgs=kernel-plus* <<<=== comment this line out [22:43:53 server root@10995477 ~]cPs#
  After doing this, you will need to run 'yum update' in order to install a standard CentOS 7 kernel, then you will need to reboot into this kernel. And if you're uncomfortable making any of these changes you might want to enlist the assistance of a qualified system administrator. If you don't have one already you might find one here: System Administration Services | cPanel Forums Thanks! [COLOR=rgb(0, 0, 0)]

  0
• 

  vacancy

  • December 20, 2018 12:41

  0

Please sign in to leave a comment.