CloudLinux - CloudLinux Blog - KernelCare protection against Rowhammer privilege escallation
RSS

KernelCare protection against Rowhammer privilege escallation

KernelCare protection against Rowhammer privilege escallation

The rmemory hardware issue "Rowhammer" was recently discovered to allows privileged escalation. The issue can be mitigated (at least in its current form) by preventing user from reading /proc/$(pid)/pagemap, /proc/kpageflags, /proc/kpagecount files. Yet, this protection is not available from RedHat, CentOS, Parallels. It is not available as part of CloudLinux OS kernel as well. The reason is that this protection will not prevent only current implementation of the attack. Forcing customers to reboot to install new kernel, just to release a new kernel a week later is something most OS vendors don't want to do.

KernelCare with its ability to patch kernel on the fly is perfectly suited to protect against such issues. We can update the kernel & fix security issues without the need for the reboot. This gives us unique opportunity to patch & mitigate potential 'rowhammer' attacks within days, as they come.

Today we have released patches for RHEL, CentOS, CloudLinux 6 & PCS/VZ/OpenVZ that protects against Rowhammerrelated exploit. Debian, Ubuntu & RHEL/CentOS 7 patches will be released tomorrow.

New beta kernel for CloudLinux 7
MySQL (MariaDB) updated
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Thursday, 20 June 2019

Captcha Image