How to Patch and Protect Linux Kernel Zero Day Vulnerability CVE-2016-0728

How to Patch and Protect Linux Kernel Zero Day Vulnerability CVE-2016-0728

Type the commands as per your Linux distro. You need to reboot the box. Before you apply patch, note down your current kernel version:

$ uname -a
$ uname –mrs

RHEL / CentOS Linux:

1. Download the latest Redhat Enterprise Linux Server 7.x (RHEL 7.x Binary DVD) ISO from Redhat portal.
2. Copy the RHEL 7.x Binary ISO to the system which you want to update(patch)  it.
3. Mount the ISO.
   1. mkdir /repo
   2. Check the current version of Redhat and kernel version.
   3. Create the new repo file in “/etc/yum.repos.d/”
   4. List the newly created repo.
   5. Clean the cache,dbcache, expire-cache, headers and metadata. Perform the repo metadata clean up.
   6. Update the system using “yum update” command.
   7.  Reboot the system using init 6.
   8. Login to the system and check the kernel version.
   9. sudo reboot

5.      mount -o loop rhel-server-7.2-x86_64-dvd.iso /repo

6.      ls -lrt /repo

8.      cat /etc/redhat-release

9.      uname -mrs

11.  cat /etc/yum.repos.d/ua.repo

12.  [repo]

13.  gpgcheck=0

14.  enabled=1

15.  baseurl=file:///repo

16.  name=repo-update

18.  yum repolist

20.  yum clean all

22.  yum update

25.  uname -mrs

Verification

You need to make sure your version number changed:

$ uname -a
$ uname -r
$ umame –mrs

The version of the kernel a system is running can be confirmed with the uname command. A list of bug fixed kernel version is as follows:

• Ubuntu Linux 14.04 LTS : 3.13.0-76 (package version 3.13.0-76.120)
• Debian Linux 8.x : 3.16.0-4 (package version 3.16.7-ckt20-1+deb8u3)
• SUSE Linux Enterprise Server 12 SP1 : 3.12.51-60.25.1
• RHEL 7 : 3.10.0-327.4.5.el7.x86_64
• CentOS 7 : Same as RHEL 7.

Trying out exploit code

You can try proof-of-concept code to find out if your kernel is secure or not. Use the wget command to grab the sample code:

$ wgethttps://gist.githubusercontent.com/PerceptionPointTeam/18b1e86d1c0f8531ff8f/raw/5a90e6f98de85f35708087620de73bed3bf16880/cve_2016_0728.c

Compile it as follows (make sure you install the gcc compiler and keyutils developers libraries):
$ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall

Install keyutils if its not available

#yum install keyutils

Run it as follows:
$ ./cve_2016_0728 PP_KEY

The full exploit which runs on kernel, takes about 30 minutes to run on Intel Core i7-5500 CPU:

However, on patched system the exploit will fail:

If its exploited then you may see someother user been logged in with “whoami” command. If the server not exploited/vulnerable then you will see root by the command running #whoami

http://www.cyberciti.biz/faq/linux-cve-2016-0728-0-day-local-privilege-escalation-vulnerability-fix/

http://www.unixarena.com/2015/12/how-to-patch-update-rhel-7-without-internet-connection.html