Affected versions include all Linux 2.4 and2.6 versions since May 2001. This spans 2.4.4 up to and including 2.4.37.4 in the 2.4 kernel and every iteration of 2.6 from 2.6.0 up to and including 2.6.30.4.

What is this vulnerability all about? Functions in certain kernel routines are left uninitialized, so pointers aren’t validated before dereferencing. This allows local execution of code (sample POC available in both articles linked above) which compromises the machine. Compromise? Yes, pwnt.

These are known affected modules according to Redhat’s bugzilla:
ipx.ko
irda.ko
x25.ko
ax25.ko
bluetooth.ko
sctp.ko
pppoe.ko
pppox.ko
appletalk.ko

That thread offers mitigation possibilities (and some commenters — see #32 and #48 — explain why those steps won’t work). According to post #27 in that thread, the exploit is already being used (as of about a week ago as I write this) to attack machines: “They entered the system through a web application exploit and then used the exploit to gain a root shell.”

This gets to the bigger problems of security. If you think of Linux as only the kernel or even the kernel plus the utilities that make it a functioning operating system, you’re seeing only one layer of vulnerability. Add another layer of complexity with various software and you’re adding more complexity and, accordingly exponentially more layers of vulnerability. If someone can get in through one door, he can often find “keys” to open other doors. That in a nutshell is what happens in cases like #27 in the Redhat bugzilla thread.

Fedora, Debian, and Ubuntu have reportedly already patched for this kernel issue.

Install the CVS server:
sudo apt-get install cvsd

When prompted in the cvsd installation process for Repository, type in “/cvsrepo”.

Now that the cvsd installation in complete goto /var/lib/cvsd
or seeking for a change(or if there is a new version of cvs updated):

sudo cvsd-buildroot /var/lib/cvsd
If the folder cvsrepo does not exist, then create it ..
sudo mkdir cvsrepo
sudo chown -R cvsd:cvsd cvsrepo

and then initilize the repository
sudo cvs -d /var/lib/cvsd/cvsrepo init
create a user and password
sudo cvsd-passwd /var/lib/cvsd/cvsrepo +username
sudo vi //var/lib/cvsd/cvsrepo/CVSROOT/config
Change “SystemAuto=no”

Test

cvs -d :pserver:username@localhost:/cvsrepo login

cvs -d :pserver:username@localhost:/cvsrepo checkout .

Ipkungfu is available a the Ubuntu repositories. To install ubuntu,

# aptitude install ipkungfu

Ipkungfu should now be working.

After installing ipkungfu, type

# ipkungfu

to configure ipkungfu and answer “yes” if you are prompted.

At this point, if you connecting remotely via ssh, make sure you are not disconnected because by default, ipkungfu is blocking all incoming connections. If you are working directly at the terminal, then there’s no problem. Open the file /etc/ipkungfu/services.conf

and append ACCEPT beside the port that you want to open.

# Service Names and Protocols are lowercase, Targets are UPPERCASE.
#
# Example:
# ssh:22:tcp:ACCEPT
ftp-data:20:tcp
ftp:21:tcp
ssh:22:tcp:ACCEPT
telnet:23:tcp
smtp:25:tcp
domain:53:tcp
bootps:63:tcp
http:80:tcp:ACCEPT
pop3:110:tcp
auth:113:tcp
ntp:123:tcp
imap:143:tcp
https:443:tcp
imaps:993:tcp
pop3s:995:tcp
socks:1080:tcp
# Add your services below. The rule is:
# ServiceName:ServicePort:Protocol[:ACCEPT|DROP|REJECT|or any valid target)] # extra comments
#

The, save the file. In the example, I have allowed connection for ports 22 (SSH) and 80 (HTTP). Open the file

/etc/ipkungfu/ipkungfu.conf

and configure it based on your server’s setting and your preferred setting.

# =========================================================================
# $Id: ipkungfu.conf 57 2005-11-02 17:04:20Z s0undt3ch $
# =========================================================================
# Please read the README and FAQ for more information
# Some distros (most notably Redhat) don’t have
# everything we need in $PATH so we specify it here.
# Make sure modprobe, iptables, and route are here,
# as well as ordinary items such as echo and grep.

# Default is as shown in the example below.
#PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin

# Set the path to ipkungfu’s runtime error log.
# Default: /var/log/ipkungfu.log
#IPKUNGFU_LOG=

# Your external interface
# This is the one that connects to the internet.
# Ipkungfu will detect this if you don’t specify.
EXT_NET=”eth0″
#EXT_NET=”eth1″
#EXT_NET=”ppp0″

# Your internal interfaces, if any. If you have more
# than 1 internal interface, separate them with
# spaces. If you only have one interface, put “lo”
# here. Default is auto-detected.
#INT_NET=”eth0″
#INT_NET=”eth1″
#INT_NET=”lo”

# IP Range of your internal network. Use “127.0.0.1″
# for a standalone machine. Default is a reasonable
# guess. Separate multiple ranges with spaces.
#LOCAL_NET=”192.168.0.0/255.255.0.0 10.0.0.0/255.0.0.0″

# Set this to 0 for a standalone machine, or 1 for
# a gateway device to share an Internet connection.
# Default is 1.
GATEWAY=0

# TCP ports you want to allow for incoming traffic
# Don’t add ports here that you intend to forward.
# This should be a list of tcp ports that have
# servers listening on them on THIS machine,
# separated by spaces. You can add port ranges
# delimited by hyphens, such as “20-22″. Default
# is none.
#ALLOWED_TCP_IN=”22 80″

# UDP ports to allow for incoming traffic
# See the comments above for ALLOWED_TCP_IN
#ALLOWED_UDP_IN=”"

# Temporarily block future connection attempts from an
# IP that hits these ports (If module is present)
# Hits to these ports will be logged as “BADGUY” hits
# regardless of log.conf settings.
FORBIDDEN_PORTS=”135 137 139″

# Drop all ping packets?
# Set to 1 for yes, 0 for no. Default is no.
BLOCK_PINGS=0

# Possible values here are “DROP”, “REJECT”, or “MIRROR”
#
# “DROP” means your computer will not respond at all. “Stealth mode”
#
# “REJECT” means your computer will respond with a
# message that the packet was rejected.
#
# “MIRROR”, if your kernel supports it, will swap the source and
# destination IP addresses, and send the offending packet back
# where it came from. USE WITH EXTREME CAUTION! Only use this if you fully
# understand the consequences.
#
# The safest option, and the default in each case,, is “DROP”. Don’t change
# unless you fully understand this.
# What to do with ‘probably malicious’ packets
#SUSPECT=”REJECT”
SUSPECT=”DROP”

# What to do with obviously invalid traffic
# This is also the action for FORBIDDEN_PORTS
#KNOWN_BAD=”REJECT”
KNOWN_BAD=”DROP”

# What to do with port scans
#PORT_SCAN=”REJECT”
PORT_SCAN=”DROP”

# How should ipkungfu determine your IP address? The default
# answer, “NONE”, will cause ipkungfu to not use the few
# features that require it to know your external IP address.
# This option is good for dialup users who run ipkungfu on
# bootup, since dialup users rarely use the features that
# require this, and the IP address for a dialup connection
# generally isn’t known at bootup. “AUTO” will cause
# ipkungfu to automatically determine the IP address of
# $EXT_NET when it is started. If you have a static IP
# address you can simply enter your IP address here.
# If you do port forwarding and your ISP changes your IP
# address, choose NONE here, or your port forwarding
# will break when your IP address changes. Default is
# “NONE”.
#GET_IP=”NONE”
#GET_IP=”AUTO”
GET_IP=”202.92.148.101″

# If the target for identd (113/tcp) is DROP, it can take
# a long time to connect to some IRC servers. Set this to
# 1 to speed up these connections with a negligible cost
# to security. Identd probes will be rejected with the
# ‘reject-with-tcp-reset’ option to close the connection
# gracefully. If you want to actually allow ident probes,
# and you’re running an identd, and you’ve allowed port
# 113 in ALLOWED_TCP_IN, set this to 0. Default is 0.
#DONT_DROP_IDENTD=0
# Set this to 0 if you’re running ipkungfu on a machine
# inside your LAN. This will cause private IP addresses
# coming in on $EXT_NET to be identified as a spoof,
# which would be inaccurate on intra-LAN traffic
# This will cause private IP addresses coming in on
# $EXT_NET to be identified as a spoof. Default is 1.
#DISALLOW_PRIVATE=1

# For reasons unknown to me, ipkungfu sometimes causes
# kernel panics when run at init time. This is my
# attempt to work around that. Ipkungfu will wait
# the specified number of seconds before starting, to
# let userspace/kernel traffic catch up before executing.
# Default is 0.
#WAIT_SECONDS=5

# This option, if enabled, will cause ipkungfu to set
# the default policy on all builtin chains in the filter
# table to ACCEPT in the event of a failure. This is
# intended for remote administrators who may be locked
# out of the firewall if ipkungfu fails. A warning to
# this effect will be echoed so that the situation can be
# rectified quickly. This is the same as running
# ipkungfu with –failsafe. Default is 0.
#FAILSAFE=0

# Configurable list of kernel modules to load at runtime.
# If no list is provided, the default and needed ones,
# ip_nat_irc, ip_conntrack_ftp ip_nat_ftp ip_conntrack_irc,
# will still be loaded.
#MODULES_LIST=”"

The

EXT_NET=”eth0″

is you the active network interface.

GATEWAY=0

because I’m configuring a standalone server. I have also set the forbidden ports

FORBIDDEN_PORTS=”135 137 139″

I don’t block pings

BLOCK_PINGS=0

because the ping tool is an effective use to test for the connectivity of the server.
For suspected, bad ports and port scan, I drop the packets.

SUSPECT=”DROP”
KNOWN_BAD=”DROP”
PORT_SCAN=”DROP”

If you have a static IP address, set GET_IP to your IP address.

GET_IP=”202.92.148.101″

The save the file. Restart by ipkungfu

/etc/init.d/ipkungfu restart

apt-get install nmap

Find: root ALL= (ALL) ALL

Replace with: root ALL=(ALL) NOPASSWD: ALL

Save that file.

To manually change or set a password for the root user, navigate to the shell command prompt:

1. Click Applicatons -> Accessories. Click Terminal.
2. A new window appears with a prompt. Key in “sudo passwd“.
3. System will prompt you to enter the new root password twice. Now, you are done with your new root password.