It has come to our attention that there is a Linux local root exploit making the rounds. This exploit uses a previously unannounced vulnerability in the Kernel relating to the performance counter subsystem in order to escalate privileges to root. Because this system is a recent advancement in the kernel, only CentOS 6 should be impacted by this vulnerability.
Due to the nature of the disclosure, RedHat has not had sufficient time to release a patched kernel. Once that is done and CentOS picks up the new kernel from the upstream, we will be able to upgrade your kernel and fix the vulnerability. In the meantime we are pushing a change to the kernel parameters which will help prevent the exploit from succeeding in its original state. This in NO WAY fixes the vulnerability and your kernel will still need to be updated as soon as possible. Again, this change is not a fix and your kernel is STILL vulnerable until RedHat/CentOS release a patched kernel. In the meantime, we also recommend the following practices are also followed to help reduce the likelihood of a successful exploit:
1) Ensure nobody has shell access to your server unless absolutely necessary and even then, it should only ever be in a jailed shell. In this circumstance, jailed shell provides no extra protection, but it does in others.
2) Ensure all web applications hosted on the server are up to date
3) On WHM servers you should disable access to compilers through ‘Main >> Security Center >> Compiler Access’. The end goal is to prevent access to the system compiler for non privileged users. So on any non cPanel systems, simply removing all ‘other’ permissions from all compilation tools will also suffice.
For clients running cPanel version 11.34 and lower, you will follow the steps in the email exactly and turn “Compilers Tweak” on. This will stop access to the C Compiler for underprivileged users, thus ensuring the exploit cannot be used.
For clients running cPanel version 11.36 or higher, the utility “Compilers Tweak” has been changed to the new utility “Compiler Access”. This new tool allows you to give access to underprivileged users if you desire. To avoid issues with this vulnerability, you want to ensure that “Compiler Access” is disabled.
Once a new kernel is released, we will be notifying impacted clients regarding updating the kernel. As always, if there are any questions, please do not hesitate to open up a ticket with our support department and they will be more than happy to assist you further.