Add KernelCare’s Free Symlink Protection
I have just upgraded OS to Rocky8
OS
When I run cPanel Security Advisor I get the following:
Kernel does not support the prevention of symlink ownership attacks.
You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review the documentation to learn how to apply this protection.
Add KernelCare’s Free Symlink Protection.
This free patch set protects your system from symlink attacks. Add KernelCare’s Free Patch Set. Add KernelCare’s Free Symlink Protection. NOTE: This is not the full KernelCare product and service.
You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.
A KernelCare update is available.
You must take one of the following actions to ensure the system is up-to-date:
- Patch the kernel (run “kcarectl --update” on the command line).
- Update the system (run “yum -y update” on the command line), and reboot the system.
----
However, when I run the kcarectl --update in ssh, I get "downloading updates" and then "complete". When I restart the server and re-run the security advisor, I get the exact same message. It appears symlink protection has not been added.
If I click on the "Add KernelCare’s Free Symlink Protection." in whm, it navigates to "https://serveraddress:2087/cpsess7608784606/scripts13/add_kernelcare_free_symlink_protection" and just reloads the security advisor page with the same warning messages.
-
Can you go to Terminal in WHM and execute this command?
kcarectl --info
Andrew N. - cPanel Plesk VMWare Certified Professional
Do you need immediate assistance? 20 minutes response time!*
EmergencySupport - Professional Server Management and One-time Services0 -
[root@~]# kcarectl --info
No patches applied, but some are available, run 'kcarectl --update'.
[root@~]# kcarectl --update
Downloading updates
HTTP Error 401: Unauthorized: https://patches.kernelcare.com/patches/K20240119_03/c843b85222f88820f3a259673ae462735ed23f09/1/kpatch.bin
[root@~]#0 -
OK I contacted Cloudlinux to get support and they told me to uninstall the kernel care
yum remove kernelcare
Then reinstall it:
curl -s https://repo.cloudlinux.com/
kernelcare/kernelcare_install. | bashsh
kcarectl --set-patch-type free --updatePlease note that in some cases, you'll get the following message:
'free' patch type is unavailable for your kernel
That means that the kernel you're running has been released very recently and there are no patches yet for it.
I think they are very slow in supporting kernel updates.... we shall see (I am using up to date kernel)
2 -
This is still bugging me.
I can't figure out if the machine is covered against symlinks or not.
This is what I am seeing:
1) If I run kcarectl --update I get:
Downloading updates
The IP 12.3.45.6 was already used for a trial license on 2018-05-152) yum remove kernelcare
Removed:
kernelcare-2.85-2.el9.x86_64Complete!
3) curl -s https://repo.cloudlinux.com/
kernelcare/kernelcare_install. | bashsh Installed:
kernelcare-2.85-2.el9.x86_64Complete!
4) kcarectl --set-patch-type free --update
Downloading updates
The IP 12.3.45.6 was already used for a trial license on 2018-05-15Seems to be stuck in some kind of loop. Security Advisor still says
Kernel does not support the prevention of symlink ownership attacks.
Add KernelCare’s Free Symlink Protection.
So your assistance on this would be appreciated.
0 -
We'll need a ticket on this one to look into the license problem - I'm not able to do anything with licenses over the Forums, unfortunately.
0 -
Hi cPRex
It's not a license thing... we are using the free version... but it's just going around in a loop.
0 -
We're still going to need a ticket on this one :D - there's KernelCare, Imunify, Rocky, all talking to each other, and something is clearly not working as intended on your system or it wouldn't be taking this long to track down.
0 -
Here it is: #95279186
0 -
It looks like our team found this issue:
but we were also able to confirm that your kernel itself is on the latest version with no vulnerabilities.
0 -
Sorry for the cross post, I hadn't remembered this one. I opened another here: https://support.cpanel.net/hc/en-us/community/posts/25873975759895-kernel-care-free-patch-set
> It looks like our team found this issue:
If this is the case, why keep showing that message in WHM ?
0 -
Any reason this is still not fixed 1 year on?
0 -
Darryl - I don't see that there was a case made for this behavior since the CloudLinux team confirmed things were fine on their end.
Could you submit a ticket from a server where this is happening so this can be examined?
0 -
Nothing unique about my setup, brand new server, latest AL9.5, fresh cPanel install provisioned today 124.0.21 and security advisor shows:
Kernel does not support the prevention of symlink ownership attacks.
You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review the documentation to learn how to apply this protection.
Add KernelCare’s Free Symlink Protection.
This free patch set protects your system from symlink attacks. Add KernelCare’s Free Patch Set. Add KernelCare’s Free Symlink Protection. NOTE: This is not the full KernelCare product and service.
You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.------
Clicking the link just reloads the page, same as original reported case here.
Assume that should be a very simple test case, I don't particularly have time to spare on this atm but if you can't reproduce let me know and I will sort something out next week.
0 -
I just want to mention that this issue came back after the latest cPanel update. This is the 2nd time that the issue, like a good zombie movie, has come back from the dead. In other words, you've fixed this before, but it somehow is getting put back into the software in your updates.
0 -
Yes I also find it somewhat irritating that even when there is no vulnerability, the alert still shows. Surely it would be straight forward to perform a check and if no vulnerability exists for this kernel, then don't show the kernel care message. However I don't think this issue is strictly a cpanel one, when I reached out to kernelcare, they were extremely dismissive and uninterested. Perhaps because I'm not a kernel care premium subscriber? Still if this issue could be resolved it would be appreciated. I don't want to be confrontated with warning messages that don't apply or are unnecessary for my os.
1 -
Yes there's a multitude of reasons really, it should be a simple fix cPanel side but whilst the issue exists we have clients querying why we have not secured their servers making us look bad and the cPanel article https://support.cpanel.net/hc/en-us/articles/23094436295959-Security-Advisor-suggests-unavailable-free-patch-for-KernelCare-on-AlmaLinux-9 that explains it is a cPanel bug/non-issue is behind a login which our clients do not have so they have no way to verify this.
Issues like this persisting whilst our license fee's keep increasing way above inflation are so grating.
1 -
Thanks for all the feedback - let me do some testing with this and I'll see what I come up with. I'll let you know as soon as I have more details!
0 -
I wasn't able to find out much today, and at this point in the development cycle nothing is going to get pushed/address until mid January at the earliest. I'll try poking this one again after the holidays as I do suspect we want to get this resolved as more and more users start moving toward AlmaLinux 9.
0 -
For some reason I ran Security Advisor again today, and the notification vanished. I no longer see it, even though it was there over the last couple of weeks after an update.
0 -
It's afraid - it's like when you take your car to the mechanic and it stops making that weird noise!
0 -
Guys, do we ignore this warrning and Bluehost patch or?
Same problem on my AlmaLinux 90 -
At this time you can ignore the warnings.
0 -
got it chief
0 -
i have the same problem, but when i run
kcarectl --info
the result:
This kernel doesn't require any patches.
tha i still getting the same msg:
Add KernelCare’s Free Symlink Protection.
This free patch set protects your system from symlink attacks. Add KernelCare’s Free Patch Set. Add KernelCare’s Free Symlink Protection. NOTE: This is not the full KernelCare product and service.
0
Please sign in to leave a comment.
Comments
24 comments