Protecting Against CVE-2016-0728

Overview

A critical vulnerability in the Linux kernel was announced on Jan. 14, 2016, by security researchers at Perception Point. The vulnerability has existed since 2012, and is present in all devices running version 3.8 of the Linux kernel and higher.

Impact

The Linux kernel above version 3.8 is affected by CVE-2016-0728, including computers, servers, and mobile devices using the following operating systems:

Linux

• Red Hat Enterprise Linux 7
• CentOS Linux 7
• Scientific Linux 7
• Debian Linux stable 8.x (jessie), and testing 9.x (stretch)
• SUSE Linux Enterprise Desktop, Server and Workstation Extension 12 and 12 SP1
• Ubuntu Linux 14.04 LTS (Trusty Tahr), 15.04 (Vivid Vervet), and 15.10 (Wily Werewolf)
• Opensuse Linux LEAP 42.x and version 13.x
• Oracle Linux 7

Android

• Devices running an Android version below 4.4 (KitKat)

A patch for the Linux kernel is available now and may already have been applied to managed servers. Google, which still is investigating the vulnerability on Android devices and believes the scope may be overstated, has issued a patch to its partners.

Summary

On a server running a version of the Linux kernel above 3.8, a user with any level of access could exploit the vulnerability to execute code as root. The researchers noted that a malicious app on an Android device could do the same thing, although possibly with more difficulty.

The researchers found that a reference leak in the mechanism that encrypts and stores credentials and other security data for use by applications can be used in what’s referred to as a “use after free” exploit.

At this time, neither the researchers who discovered the vulnerability nor Red Hat have detected any sign of the vulnerability currently being exploited in the wild.

Is Your Server Affected?

If the Linux kernel on your server already has been patched due to proactive measures by your web host or a service such as KernelCare, the changelog will include reference to CVE-2016-0728.

Servers equipped with KernelCare

Many managed Liquid Web servers are equipped with KernelCare. To check whether the patch already has been applied, run this command:

kcarectl --patch-info | grep CVE-2016-0728

That should produce output similar to the following:

kcarectl --patch-info | grep CVE-2016-0728
kpatch-cve: CVE-2016-0728
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2016-0728

Servers without KernelCare

A server which does not have KernelCare installed will output “command not found” when running the “kcarectl” command above. If that is the case, then you will need to check the kernel changelog for a reference to the CVE to know whether it’s been patched. On a CentOS or Red Hat server that does not have KernelCare, you can check with the command:

rpm -qa --changelog kernel|grep CVE-2016-0728

Resolution

To apply the patch, you will need to update the kernel and reboot the server for the patch to be applied.

You can use the instructions in our Knowledge Base to update the kernel on CentOS and Red Hat servers, and you can follow these instructions to reboot your server following the update.

If you need any assistance or prefer to schedule the server’s reboot for a specific time, please do not hesitate to contact Heroic Support®.