Linux kernel local root exploit (CVE-2016-8655) fixed

Yesterday a Linux kernel local root exploit was found and reported. One more time our dedicated Linux kernel team acted quickly and was able to apply the official vulnerability patch in less than 24 hours. All our shared and cloud servers are now protected and again we managed to do this with no reboots and downtime. Read below to find out more about the security problem and how we patched it.

What is the exact security problem?

The security hole allows attackers to gain root access to servers by taking advantage of a race condition in the “net/packet/af_packet.c” part of the kernel. If performed successfully an attack will provide the attacker with a root shell and full access to the server. For more technical information you may check this page. Also the official patch which we used to update our kernels is available here. Philip Pettersson, the engineer, who found the issue said that he will release a PoC but he will wait some more time for people to patch their systems.

How widespread is the issue?

The bug was introduced on Aug 19, 2011 which means that many of the major Linux distributions are affected. All of the kernels based on the official kernel code before the official patch are most probably vulnerable.

What is the standard-issue resolution?

The easiest way to protect your computers running Linux is to update your Linux distro to the latest version. Unfortunately, in this case, most distribution vendors have not released new official versions of their kernels yet. If you are not building your own kernel then you’ll have to wait for the official PoC to be released in order to test if your Linux machines are vulnerable. Also, keep an eye on the packages released by your vendors and update as soon as a new kernel is released.

What SiteGround did to resolve this issue?

As we mentioned in our previous blog post about the Dirty COW vulnerability we build our own custom kernel and we have more control over our kernel patching and distribution process. We do not use the kernels provided by the official vendors and that is why we managed to act so quickly and patch our servers.

We got the official patch and again we used the kpatch tool to build modules for our kernels and patch them without rebooting the machines. This way we prevented downtime which is mandatory if a server is rebooted in order to upgrade its kernel. Needless to say, we tested the patch on different servers and different configurations in order to make sure that our whole fleet will be protected and no side issues will occur.

Right now all shared and cloud SiteGround servers are patched. We are still checking our dedicated servers because some of them are not affected by this security problem at all. The dedicated servers will be also patched as soon as possible.