(Ping! Zine) – Ksplice Inc. this weekend released a free tool to detect whether a Linux server has been compromised by this week’s high-profile security exploit in the Linux kernel. A recently-discovered vulnerability, CVE-2010-3081, grants an attacker administrative, or “root”, access to 64-bit Linux systems. In addition to the detection tool, Ksplice has released a rebootless update that corrects the vulnerability immediately, without rebooting.
After an anonymous programmer published software to exploit the vulnerability last week, several major Linux installations have reported that attackers have attempted to use the exploit to gain superuser privileges. Linux vendors are in the process of preparing operating system updates to correct the vulnerability. In advance of such a release, Ksplice has released a security update that corrects the vulnerability in Red Hat Enterprise Linux, Ubuntu, Debian GNU/Linux, CloudLinux, CentOS, Parallels Virtuozzo Containers, and OpenVZ.
The rebootless update is the fastest way to close the CVE-2010-3081 vulnerability, as it requires no downtime or disruption. On some Linux distributions — including Red Hat Enterprise Linux and CentOS — the Ksplice update has been released before a traditional patch has been made available by the operating system vendor. The Ksplice update is based on the same patch released by other major vendors. Ksplice recommends that organizations not rely on the temporary workaround provided for Red Hat Enterprise Linux and other products last week, which does not close the vulnerability against modified versions of the published exploit.
The Ksplice vulnerability checker will report whether a system has already been compromised. Ksplice recommends that companies that have been compromised follow their existing best-practice procedures for cleaning their systems.
Ksplice Uptrack is available in a 30-day free trial, at http://www.ksplice.com. After the trial, the subscription fee starts at $3.95 per system a month. The Ksplice vulnerability checker is available at https://www.ksplice.com/uptrack/cve-2010-3081.