CloudLinux - CloudLinux Blog - KernelCare protection against Rowhammer privilege escallation

By accepting you will be accessing a service provided by a third-party external to

KernelCare protection against Rowhammer privilege escallation

KernelCare protection against Rowhammer privilege escallation

The rmemory hardware issue "Rowhammer" was recently discovered to allows privileged escalation. The issue can be mitigated (at least in its current form) by preventing user from reading /proc/$(pid)/pagemap, /proc/kpageflags, /proc/kpagecount files. Yet, this protection is not available from RedHat, CentOS, Parallels. It is not available as part of CloudLinux OS kernel as well. The reason is that this protection will not prevent only current implementation of the attack. Forcing customers to reboot to install new kernel, just to release a new kernel a week later is something most OS vendors don't want to do.

KernelCare with its ability to patch kernel on the fly is perfectly suited to protect against such issues. We can update the kernel & fix security issues without the need for the reboot. This gives us unique opportunity to patch & mitigate potential 'rowhammer' attacks within days, as they come.

Today we have released patches for RHEL, CentOS, CloudLinux 6 & PCS/VZ/OpenVZ that protects against Rowhammerrelated exploit. Debian, Ubuntu & RHEL/CentOS 7 patches will be released tomorrow.

New beta kernel for CloudLinux 7
KernelCare: How does it work?


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Tuesday, 14 July 2020

Captcha Image