Monitoring, Management & Location Tracking

Local Root Exploit in Linux Kernel (AirWave Tech. Bulletin #2292008)

Local Root Exploit in Linux Kernel -- Questions and Answers

Q. What is this vulnerability?
A. Specifically, the vulnerability could, in some situations, allow an unprivileged user to become root (i.e., the Linux/UNIX superuser) by executing code that takes advantage of the referenced exploit. In most cases, it is highly unlikely that this would be a problem for most typical AMP installations (see additional information below).

Q. Is this a problem created by AirWave, or due to a programming error in the AMP software?

A. No. AirWave uses the same Linux kernel code as distributed by many other companies, including well-known Linux distributions like Red Hat. The local root exploit is not caused by programming errors created by AirWave engineers or the software we distribute; our software is affected only because our application runs on Linux-based operating systems which may contain the affected kernel code.

Q. Does this local root exploit affect me or my AMP installation?
A. If you're running AMP on CentOS 5 it almost certainly affects you and your AMP installation. If you're running AMP on CentOS 4, Redhat 4 or another OS, it probably does not affect you.

Q. How can I be sure if my AMP is or is not affected by this local root exploit?
A. To check if your AMP kernel is affected by the local root exploit, please run the following command at your AMP's command prompt via an SSH connection:

uname -r

If the command indicates a kernel version falling between 2.6.17 and 2.6.24.1, you should upgrade your AMP 5.3.3 to when it's released later this week. In addition, you will need to update your AMP's kernel RPM, as indicated in our original email on this issue. However, if the uname command listed above reveals a kernel version that's lower than the range specified, or a kernel version that's higher than the range listed above, you *do not* need to upgrade your kernel; the local root exploit issue will not affect your AMP installation.

Q. Are there other ways I can tell what OS version I have, and what kernel I have, without using the command line (i.e., from with the AMP's web GUI)?
A. AMP displays the operating system version on the AMP's 'Home' page. To check the AMP's kernel version, you can look on the System -> Performance page.

Q. What's the fix for this issue?
A. AMP 5.3.3 should be available in mid-March, 2008 and it will have an updated kernel that is not affected by this local root exploit. For an immediate fix, you can manually install the necessary kernel RPMs with this command:

# rpm -Uvh http://mirror.centos.org/centos-5/5/os/i386/CentOS/kernel-2.6.18-53.el5.i686.rpm \
http://mirror.centos.org/centos-5/5/os/i386/CentOS/kernel-PAE-2.6.18-53.el5.i686.rpm \
http://mirror.centos.org/centos-5/5/os/i386/CentOS/kernel-headers-2.6.18-53.el5.i386.rpm

Q. Is there any way a remote user could take advantage of this local root exploit?
A. Not that we know of. To the best of our knowledge, only a local operating system account user would be able to take advantage of this exploit to gain root access on the AMP. Standard AMP user accounts, i.e. accounts created in the AMP's web GUI, would not be able to take advantage of this exploit. In the most typical use cases for the AMP, it is unlikely that there would be any other local users on the system other than the root account.
Local Root Exploit in Linux Kernel -- Questions and Answers

Version History
Revision #:
1 of 1
Last update:
‎06-06-2014 04:28 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.