25 Oct 2014

feedPlanet Grep

Mark Van den Borre: Geert Noels over bankenlobby

U zat kort na de crisis in het Lamfalussy-comité dat een blauwdruk moest ontwerpen voor een hervorming van de financiële sector in België. Het eindresultaat was bijzonder vriendelijk. Hebt u die krachten zelf ondergaan?
Noels: 'Kijk, in dat comité is zes maanden lang ernstig gewerkt. Maar de voorstellen om 'too big to fail' en systeemrisico's aan te pakken, hebben de eindversie van ons rapport niet gehaald. Net zo min als mijn voorstel om een systemische schaal voor banken te ontwikkelen. Het plan was: hoe meer punten een bank scoort op die schaal, hoe hoger het risico voor de gezondheid van het financieel systeem. Op basis daarvan had je spaarders kunnen informeren of waarschuwen, als er tegenover de bovengemiddelde rente op hun spaarboekje ook bovengemiddeld risico schuilging. Een voorbeeld: KBC zou voor de crisis jaar na jaar gestegen zijn op die schaal, nadien jaar na jaar gedaald. En het zou het mogelijk maken om banken op een rechtvaardige manier te belasten. Mijn voorstel is niet gevolgd en vandaag betalen kleine banken proportioneel meer bankenbelasting dan grote. Neen, ik heb daartegen niet luidop geprotesteerd. Onze jurist zegt dat ik daarop beter niet terugkom, maar concludeer zelf maar wat er gebeurd is.'

oorspronkelijk artikel

25 Oct 2014 11:38am GMT

24 Oct 2014

feedPlanet Grep

Wouter Verhelst: Not using adirent

About a month ago, I received an upstream bugreport that the nbd-server wouldn't build on Solaris and its derivatives. This was because nbd-server uses the d_type field of struct dirent, which is widely implemented (in Linux and FreeBSD, at least), but not part of POSIX and therefore not implemented on Solaris (which tends to be more conservative about implementing new features).

The bug reporter pointed towards a blog post by a Solaris user who had written something he calls "adirent", meant to work around the issue by implementing something that would wrap readdir() so that it would inject a stat() call when needed. While that approach works, it seems a bit strange to add a function which wraps readdir to become portable. After all, readdir() does not always return the file type in d_type, not even on systems that do implement it. One example in which this is true is XFS; if one runs readdir() on a directory on an XFS filesystem, then everything will have DT_UNKNOWN as its filetype, indicating that you need to run stat() after all.

As such, I think a better approach is to use that fact so that things will just work on systems where d_type isn't available. The GNU autotools even have a test for it (AC_STRUCT_DIRENT_D_TYPE), which makes things easier. In the case of NBD, I've added that to configure.ac, and then added a touch of preprocessor magic to reuse the infrastructure for dealing with DT_UNKNOWN which is already there:

#ifdef HAVE_STRUCT_DIRENT_D_TYPE
#define NBD_D_TYPE de->d_type
#else
#define NBD_D_TYPE 0
#define DT_UKNOWN 0
#define DT_REG 1
#endif

(...opendir(), readdir(), ...)

switch(NBD_D_TYPE) {
    case DT_UNKNOWN:

(...call stat(), figure out if it is a file...)

    case DT_REG:

(...we know it is a file...)

    default:

(...we know it is not a file...)

this seems cleaner to me than using a wrapper, and has the additional advantage that the DT_UNKNOWN code path could receive some more testing.

24 Oct 2014 1:33pm GMT

Frank Goossens: Music from Our Tube; Wilco’s Impossible Germany

Nothing new, no ground-breaking beats nor exhilarating live Jazz-performances today, but "just" what I feel is an epic rock-song ("Impossible Germany") written by a great rock-band (Wilco);

YouTube Video
Watch this video on YouTube or on Easy Youtube.

Enjoy your weekend!

24 Oct 2014 12:25pm GMT

23 Oct 2014

feedPlanet Grep

Xavier Mertens: Hack.lu 2014 Wrap-Up Day #3

The Internet is broken

The third day is over! After the speaker dinner in a cool place and a very short night, I attended more talks today (no workshops). Let's go for the daily quick wrap-up…

The first talk was "Internet scanning - conducting research on 0/0" presented by Mark Schloesser from Rapid7 and is also a developer of the Cuckoo sandbox. The topic focused on the IPv4 address space of course. IPv6 could be nice for another talk but has many challenges.

Mark's vision of the Internet

Mark's vision of the Internet

Mark's topic was not only the scanning part but also wide data-gathering. Example: when the port 80 is publicly available, the website behind is crawled. People think that scanning the Internet takes time… months? In reality, there are quite performant tools today like masscan or zmap that are able to scan the complete Internet addresses space in less than one hour. Of course, this is theoretical because packets are processed by many routers which can affect the overal performances of the scan. Scanning the Internet is not a new topic and other projects exist for a while like Shodan, the shadowserver foundation, ErrataSec. Of course, Mark said that scanning the Internet is only performed for research purpose (in his case of course). He reviewed some interesting findings:

Mark presented a Rapid7 project called "Sonar" which helps to scan the Internet for specific ports/protocols. Here are some results:

Some recent findings?

To conclude, Mark said that, in such project, the collaboration is key! It is important to make data available to the infosec community. To achive this, a website exists: scans.io. It was a great talk to start the day!

The next talk was presented by Saumil Shah. Do we have to present him? Saumil is a very cool guy who comes always with new crazy ideas and who explains them with simple words and modesty. This time, he came with a talk called "Hacking with pictures".

Saumil on stage

Saumil on stage

Saumil has been delivering exploits for some years. When you write exploits, the first goal is work below the radar with techniques like:

In 2011, he came with a cool attack called "255 shades of grey" and today it was a new one called "IMAJS" which consists of an image with embeded JavaScript. The concept: The same file can be used twice:

<img src="image.gif>
<script src="image.gif"</script>

The evil trick is to use comments to hide the image data:

GIF89A/*xxxxxx*/=0;xxxxxx

The JPEG format is event more powerful thanks to the EXIF data! But the problem is that some caracters must be avoided.Another demo was an exploit using an heap spray attack to pop up, guess what, a calc.exe! This technique was called "Stegosploit" by Saumil and is based on the vulnerability labeleld MS14-035 by Microsoft. The next idea was to have an attack based on some kind of "time machine". The image is downloaded by the victim at a certain time but the exploitation occurs later. This could have a huge impact in incident response! Conclusions of this talk:

It was really a good presentation, my favourite of today!

After a short break, Paul Rascagnères and Eric Leblond presented "D&D of malware with exotic C&C". This was a good team: Paul is a respected malware researcher and Eric is a core developer of Suricata, the open source IDS.

Paul & Eric on stage

Paul & Eric on stage

Paul described different cases that he faced while doing malware analysis. How malwares communicate with their C&C servers? Then, Eric explained how to configure Suricata properly to catch the communications (while keeping the performances acceptable).

Conclusion of this talk: even if we have nice tools like dynamic sandox analysiss systems, it's still very useful to reverse the malware code to understand how the communicate and write powerful rules! Funny presentation made by two crazy guys!

Then, two presentations were scheduled but I did not follow them: Dominique Bongard spoke about WPS or "WiFi Protected Setup". After a good description of the WPS working principles (You know the button you have on your router or the sticker on the bottom), Dominique explained the weaknesses of this system.

Warning Sign

Warning Sign

The next one was not a technical talk but a review of the cyberwar between Russia and Ukraine. Glib Pakharenko explained what hapened before and during the war between the two countries. The cyber attacks started before the revolution and they are not only hacking or DDoS. It can also be:

A good example was the one of Russia which hacked SmartTV's in Ukraine and forced them to show terrorists channels!

The next talk was a presentation of mitmproxy by Maximilian Hils. This proxy plays man-in-the-middle and intercept HTTPS requests. This tools is free and basically allow you to inspect encrypted traffic between the browser and the server but not only! It can also:

The tools is console based and really deserve to be part of your regular toolbox!

mitmproxy demo

mitmproxy demo

And we continued with another talk. This one was called "How I hacked my city" by Amihai Neiderman. This was a walkthough talk. Amihai told us a story. How it begun when I discovered a strange SSID "FREE_TLV" broadcasted on the street. Curious, like many of us, he tried to connect to it and found more and more information.

Amihai on stage

Amihai on stage

He explained step by step like a novel how he successfully compromised the devices behind the wireless network. Starting from test standard passwords, SQL injections, download of the firmware (after being able to identify the vendor product) and how he successfully exploited the firmware.

The next talk focused on exploiting Virtualbox via the 3D acceleration feature. This was called "Breaking out VirtualBox through 3D acceleration" by Francisco Falcon. When I read the abstract of this talk, my first reaction was: "But, how many people use this feature with VirtualBox? Who's running games on VirtualBox?". Anyway, Francisco found a great way to abuse this feature! Note that the VirtualBox developers already warn users in the document: "This code may contain bugs".

Francisco on stage

Francisco on stage

Before explaining how to exploit the feature, he explained how it works. VirtualBox 3D acceleration is based on Chromium, a library that allow remote rendering of graphics (but nothing related to the browser). The flow of data is the following:

host hardware -> host OS 
                 -> VirtualBox hypervisor (chromium server) 
                    -> Guest OS (vboxguest.sys) 
                       -> OpenGL client

The second part of the talk was dedicated to the detailed explanation of how to exploit this architecture.

My last talk was the one of Garcia Sebastian who presented a nice way to detect botnets activities via the network traffic ("Botnets Behavioral Patterns in the Network").

Sebastian on stage

Sebastian on stage

The idea behing this talk was based on the following question: How do we detect malwares? We can analyze binary files (the malware itself) or the generated traffic (to exfiltrate data, to communicate with the C&C). The files analysis can be static, dynamic but remains complex. And, it's the same for the network traffic. What are the performed actions and how they change? An interesting statistics is how we analyse the network traffic?

The next question is: Is it working?

What's not working?

Sebastian's idea was to focus on single connections (which is related to a specific action like: a DNS resolution, access to Google, a spam sent). He needed aggregation and created a 4-tuples based on: the source IP, the destination IP, the destination Port and the protocol. Then he explained how the model was created by analysing the behavior of each 4-tuples by extraction 3 features of each flow:

Based on the sizes of the flow, Sebastian explained how to assigned a specific caracter to it (36 states possible). Based on this model, he was able to build a botnet dectection model based on the Markov Chain. A nice research and a nice talk!

I did not attend the last talk. The day finished with the celebration of the CTF winners. The regular conference is now over. Tomorrow, no more regular talks, just a few workshops are still scheduled. Good edition of hack.lu which remains a conference with a specific atmosphere. See you next year for the 11th edition!

Note: the slides are available here.

23 Oct 2014 9:37pm GMT

22 Oct 2014

feedPlanet Grep

Xavier Mertens: Hack.lu 2014 Wrap-Up Day #2

Security FlawsThe second day is over! I'm just back from a great speaker dinner in Esch s/Alzette. It's time to write a quick wrap-up. There was again some Cisco forensics workshops on the schedule, that's why I was not able to attend all today's talks.

The second day opened with Marion Marshalek's keynote called "TS/NOFORM". This title is derived from the document classification used by the United States. Marion started with an nice introduction based on Starwars characters to finish by a fact: Today, it's not Starwars anymore but Cyberwars! Cyber means a lot of threats, by example, the control of media, the intellectual property being stolen, nation states spying (and being hacked), the loss of corporate data. Then she explained in details how some malware were tracked. Interesting fact: it's quite easy to detect the location/nationality of the malware developers by analysing the vocabulary and texts used in the code.

The first regular talk was presented by Claudio Guarnieri. He is a well-known security research mainly know thanks to the Cuckoo project (he's the leader of this project). His presentation was called "Embrace the Viper and live happy". Claudio presented his new baby called "Viper".

Claudio on stage

Claudio on stage

The idea of the tool came from the mess that we are all facing around our files (samples) and tools. What about exploits? They are written using multiple tools and languages and it became unmanageable to keep them properly stored. That's why HD Moore created the Metasploit framework a few years ago. And what about malware analysis? According to Claudio, it is exactly the same: we have multiple tools, producing multiple output in many formats. They are hard to integrate! "It sucks". Claudio started a project called VxCage to make filesystems cleaner but it was never finished. Today, Viper is born. It's a framework to store and manage samples. It provides an analysis module to inspect your samples and provides an easy way to create new modules. The project is written in Python. Right now, it is just a shell but other user interface could be possible. There is also a REST API. The structure is based on:

Some examples of existing modules are: Radare2, searching for known shell code patterns, analysis of PDF or Office documents, etc… The product is not perfect but works quite well. Claudio makes lot of nice demos. It seems very easy to use with simple and powerfull commands. Claudio said that some modules are incomplete, it lacks of scripting and automation. The product must still be improved but looks great. It is a community project and Claudio is looking for developers/contributors. Viper is available here.

The next talk focused on TR-069, a technical specification called CWMP ("CPE WAN Management Protocol"). It was presented by Shahar Tal. It defines a protocol used for remote management of end-user devices (the Internet box that we all of us have at home) and is based on SOAP/HTTP. Communications are performed between the user's devices and a central server called ACS ("Auto Configuration Server").

Shahar on stage

Shahar on stage

Basically, with TR-069, you allow "somebody" to access your device. The question which comes in mind immediately is: who do you trust to run code on your device at any time without approval? The Shahar's idea was to focus to the ACS instead of the router (which has already been targeted too much!). What is an ACS is compromised? The attacker could:

The first step is to find an ACS! How to achieve this? By compromising a router and checking the traffic or activity. By sniffing your own traffic or by scanning the Internet. Once found, the ACS becomes a regular target and, guess what? Many of them are not properly managed/configured. Shahar reviewed different examples of ACS and how they were compromised. Two examples:

About bad configurations, if SSL is available, according to Shahar, only 15% of them are using SSL to manage their CPE! Interesting talk! If you compromise an ACS, you can potentially own thousands of home routers!

Then, Fyodor Yarochkin, a regular speaker at hack.lu, came to present "Detecting bleeding edge malware: a practical report". Fyodor is good at presenting research about monitoring malicious activities, malwares and botnets. For him, when you're compromised, you need to detect properly the who, when, how. The identification of the threat is very important. Fyodor explained how he tracked malicious on-going malware campaigns via DNS and HTTP monitoring. This correlated with public information. As example, he detected an attacker changing its domain name every 3 minutes, impressive!

Fyodor on stage

Fyodor on stage

I just had a quick look to the talk about USB fuzzing. He was presented by Jordan Bouyat. It was very close to the one that I attended at BlackHat last week! To resume briefly, USB fuzzing is interesting because USB ports are available everywhere today! After a short introduction about the USB and its features (bus, detection, etc), Jordan explained the approach his company used to setup an USB fuzzing lab. Based on Qemu, the solution has pro & con:

I expected a lot from the next talk. I was curious about the tool called WiHawk aka the "router vulnerability scanner". If previously, we saw a talk about TR-069 which focused on ACS servers to pwn home routers, this talk focused again to them. Anamika Singh quickly resumed what is a router and what are its core features: route processing (deciding where to send packets), packets forwarding and special services like filters (ACL) or NAT. She started with a simple example where a password was discovered via an analyse of a router firmware and binwalk. Classic! Then she explained what is the purpose of the WiHawk and described its features. Based on IronWasp (it must be installed on top of it), the framework provides the following checks:

The target can be specified as a single IP address, a network or, more interesting, a Shodan query (GeoIP - city, country, etc). This is an interesting tool but based IronWasp which needs .Net! According to the website, it runs under Linux with wine… To be tested!

Finally, my last talk was the one of Frederik Braun: "We're struggling to keep up" (a brief history of browser security features). The talk was based on the past, present and future of browsers. Today, "the web is the platform" said Frederik! He showed two screenshots which perfectly resume the history of browsers. The first one is the Yahoo! homepage in the years 2000. The second one is gmail.com with plenty of nice features (fully dynamic web-content). Another fact: browsers are everywhere, event in your car! From the past, we always improved the browser to fix security issues: HTML is stateless protocol, we invented cookies. We used plain-text communications? We invited HTTPS. It was opt-in? We implemented HSTS. It's just a whack-a-mole game! Then Frederik review the present issues and the future… Frederik's conclusion? The browser can aid to secure the website!

The last talk was the same of presented last week at BlackHat: "Evasion of high-end IDPS devices at the IPv6 era" by Enno Rey, Antonios Atlasis, Rafael. Tomorrow, nice talks are scheduled! Stay tuned for more news…

22 Oct 2014 10:32pm GMT

Frank Goossens: Tweaking WordPress’s Expound theme’s menu

I'm helping on a site for a not-for-profit for which we selected "Expound" as the base theme. I like Expound; it looks great, there's no jQuery- or webfont-cruft to worry about and although the CSS comes with a seperate reset.css-file, it does (Auto-)optimize perfectly.

But I wasn't happy with the menu color-scheme and with the fact that the menu lacked an indication that a child page of a main entry was being shown instead of the page of that main entry itself (confused much?).

Anyway, this is what I ended up with;
wordpress expound theme menu tweaked

For those wanting to do something similar, this is the relevant CSS in my child theme;

/* don't want no blue */
.navigation-main .current-menu-item > a {
        background: #557B47 !important;
}

/* triangle should not be blue either, need it to be a bit bigger */
.navigation-main ul > .current_page_item a:after, .navigation-main ul > .current-menu-item a:after, .navigation-main ul > .current-post-ancestor a:after, .navigation-main ul > .current-menu-parent a:after, .navigation-main ul > .current-post-parent a:after {
        border-top: 10px solid #557B47 !important;
        bottom: -14px;
        z-index: 1000;
}

@media screen and (min-width: 600px) {
  /* if page from submenu, add line under parent item to show your in that submenu */
  .navigation-main ul > .menu-item {
        border-bottom: 6px solid #3A3A3A !important;
  }
  .navigation-main ul > .current_page_item, .navigation-main ul > .current-menu-item, .navigation-main ul > .current-post-ancestor, .navigation-main ul > .current-menu-parent, .navigation-main ul > .current-post-parent {
        border-bottom: 6px solid #557B47 !important;
  }

  /* but not in submenu */
  .navigation-main .sub-menu > .menu-item {
        border-bottom: 0px !important;
  }

  /* less padding at the bottom to compensate for that extra line */
  .navigation-main a {
        padding: 10px 10px 4px !important;
  }

  /* except when in submenu */
  .navigation-main .sub-menu a {
        padding: 10px !important;;
  }
}

/* change color to default brown if child-item is active */
.navigation-main ul > .current_page_item, .navigation-main ul > .current-menu-item, .navigation-main ul > .current-post-ancestor, .navigation-main ul > .current-menu-ancestor, .navigation-main ul > .current-menu-parent, .navigation-main ul > .current-post-parent {
        background: #3A3A3A !important;
}

Have fun!

22 Oct 2014 3:22pm GMT

21 Oct 2014

feedPlanet Grep

Xavier Mertens: Hack.lu 2014 Wrap-Up Day #1

Hack.lu 2014

Hello Dear Readers, my agenda is quite hot at the moment, after attending BlackHat last week in Amsterdam, I'm now in Luxembourg until Friday to attend the 10th edition of Hack.lu. The conference organized in Luxembourg has already reached a decade! Congratulations to the organizers for the event that I'm attending since 2008! It remained since the beginning in my favorite top-three for the following reasons: nice atmosphere, good sizing (not to big not to small), most visitors are regular ones and allow me to meet them once (or two) times a year.

As usual, the first day started via a first bunch of workshops. They are very interesting because, compared to regular talks, you're not passively listening to the speaker but you are doing practical stuff to learn a new tool, protocol. My first choice was to attend a workshop about the ELK stack prepared by Christophe Vandeplas. ELK means "Elasticsearch, Logstash & Kibana" and allows you to collect, parse, store data for further processing. Christophe explained the basic of each components and how to perform forensics investigations based on ELK. I was already using ELK at home to process my logs but, honestly, Christophe gave me some ideas to improve my setup, he has a really good knowledge of this platform. Besides the workshop, he also maintains a Github repository with interesting content to help you in your daily ELK operations. Besides the classic usage which is collecting logs from your infrastructure (firewalls, proxies, servers, …), ELK can also be used to perform pure forensics investigations. Christophe explained how he performs this tasks. The example was given with the analyze of a piece of malware. The complete path is:

  Sandbox -> Pcap file -> Analysis via Suricata with generated EVE events (JSON) -> Logstash

The next workshop was the one of my friend Didier Stevens & myself about Cisco forensics investigations. We gave this workshop for the first time during BruCON and we were invited to provide it in Luxembourg. If you did not attended those conference, don't forget that we propose an online lab which allow you to perform the exercises proposed during the workshop. Two sessions were organized today and the first one was fully booked.

After the workshop, I joined the main room to attend the last talks of the day. I attended the last minutes of "Bypassing sandboxes for fun… Profit will be realized by sandbox vendors" by Paul Jung. Today vendors are using sandboxes in more and more products and claim that they are the best way to analyse the behaviour of malicious applications. But this remains a "cat & mouse game". Malware developers have techniques to detect when their code is executed in a sandbox but also how to evade this "secure" environment. I attended only the last 10 mins of the talk which looked very deep and technical.

The next talk was presented by a French guy: Serge Guelton. He presented a research about Python: "Python code obfuscation: improving existing techniques". Serge explained the different techniques that can be used to obfuscate Python code. For each techniques, he reviewed the pro & con. There can be multiple reasons to do this, a good example is the Dropbox client which is written in Python.

Finally the day ended with a very long presentation by Xeno Kovah about "Extreme privilege escalation on Windows 8 / UEFI systems". For sure, the word "extreme" was a good choice. Xeno explained that, once a machine has been compromised, we can go further and we expect:

The talk explained deeply how the BIOS of a machine can be accessed from the operating system and also compromised. The day ended with a nice walking dinner with all the attendees and many interesting conversations with peers. I apologize for the lack of coverage of this first day, tomorrow should be more complete! Stay tuned!

Oh, by the way, this year Hack.lu implemented the same kind of wall of sheep like BruCON:

Credits to @Kaweechelchen

Credits to @Kaweechelchen

21 Oct 2014 10:31pm GMT

20 Oct 2014

feedPlanet Grep

Joram Barrez: My Five Rules for Remote Working

A couple of weeks ago, there was a stir (again) about remote working and its succes and/or failure: it was reported that Reddit, the website where many people lose countless of hours, were forcing all their employees to move to SF. After a similar thing happened at Yahoo last year it made me think about why remote work is such […]

20 Oct 2014 8:33am GMT

17 Oct 2014

feedPlanet Grep

Philip Van Hoof: De Fabeltjeskrant

https://www.youtube.com/watch?v=lIWy8taP1rE

Want daarin staat precies vermeld, hoe het met de dieren is gesteld.

17 Oct 2014 11:29pm GMT

Xavier Mertens: BlackHat Europe 2014 Wrap-Up Day #2

BlackHat Day 2

Yesterday evening, I had a nice dinner with awesome infosec folks. We faced a massive "Deny of Sushi" attack but we survived! So, I'm just back from Amsterdam and here is my small wrap-up for the second BlackHat day.

My first choice was to attend a talk about IPv6. Antonio Atlasis, Enno Rey and Rafael Schaefer presented "Evasion of high-end IDPS devices at the IPv6 era". They are regular speakers at BlackHat and always present interesting researches. Belgium is facing a massive trend in IPv6 usage since the major telco enabled this protocol for more and more of their residential users. Please don't think "But I don't use it in my environment!". IPv6 is at your door!

IPv6 VS. IDPS

IPv6 VS. IDPS

They started the research by building a lab to play with IPv6 and IDPS and, guess what, they found interesting stuff. They made an introduction about IPv6 extension headers. An IPv6 datagrams looks like a train… A train is composed of wagons. IPv6 packets can have multiple extension headers. They are not vey used today but each IPv6 stack have to support them. Examples of extensions:

There is a recommended order. All should occur at most once. So, how a device should react if this is not the case? Interesting: RFC 7045 says: it SHOULD NOT discard packets contains unrecognised extension headers. What are the common problems that IDS are facing?

  1. Too many things are variable:types, sizes, order and number of occurrences of each one. Also the fields are variable. We can define IPv6 as a function with many parameters: f(v,w,x,y,z).
  2. Fragmentation! Both fragmentable and unfragmentable parts may contain any IPv6 extension headers, this makes the problem number one more complicated to handle.
  3. How extension headers are chained? (using the Next Header field)

Based on these problem, you can now imagine how difficult it is for an IDPS to inspect properly IPv6 packets! What can go wrong? Chiron, an IPv6 penetration testing framework, has been used to test IPv6 extension headers. They tested fours IPS: 2 open sources and 2 well-known commercial solutions. Each solution was tested agains 12 different evasion techniques. All of them have been reported to the vendors/developers. Some were patched quickly, for others if took longer time and, guest what, others still remain open. To demonstrate this, the speakers performed several live demos:

What could be done? If you are using an IDPS…

Technical mitigations: Implementation of RFC 7112. Configure your devices to drop IPv6 extension headers not used in your network. Sanitize packets before they reach your devices. A very interesting, well prepared with demos working out of the box!

The next talk was chosen purely by curiosity: "Gyrophone - Recognizing speech from gyroscope signals" by Yan Michalevsky, Gabi Nakibly and Dan Boneh.

Gaby & Ivan on stage

Gaby & Ivan on stage

How to record speech without using the built-in microphone? All smart phones have a small device called a gyroscope. To record speech on a mobile device, the main problem for an attacher is how to access the microphone because the access must be approved by the user. But sensors can be freely accessed by apps like… the gyroscope! Why? Because it is not considered as a security or privacy threat. The gyroscope can be accessed from browsers using a simple JavaScript piece of code. They are two major vendors on the market but they both work in the same way. Gyroscopes are very sensible to acoustic noise. To resume: Our voice makes waves which generate vibration. They impact the gyroscope!

Impact of speech against a gyroscope

Impact of speech against a gyroscope

Based on this fact, gyroscopes are (lousy but still) microphones! Sample rate to the gyroscope is limited by the OS (max 200Hz). To give you an idea, a male speech is around 85-180Hz and a woman speech around 165-244Hz. Listening to a map at 200Hz is not efficient but algorithms can be used to perform a deeper analyse for us. That's what explained the speaker during the rest of the talk. They described the lab they put in place to record enough samples and the different techniques used to:

Depending on the samples and techniques, the results varied but they also demonstrated how the detection rate could be improved by using multiple devices sampling at the same time. Some other attacks:

What are the defences against this attack? A range of 0-20Hz should be enough for most application to sample the gyroscope. Higher ranges should be allowed only to trusted applications (like the microphone). The idea was very good but, after the theory, I would expect some demos.

After a first coffee break, let's continue with "Revisiting XSS sanitisation" by Ashar Javed. More precisely, the talk focused on WYSIWYG editors like we can find in thousands of websites such as forums, CMS (blogs) but also more corporate applications like ticketing systems. They allow you generate nice content by inserting pictures, bold, italic texts, links etc. Froala is a very common editor using my many websites. Imagine a major vulnerability is this editor, you have a very broad surface attack! And developers of such editors are proud to claim they have thousands of customers! Another example if TinyMCE used by WordPress (that I'm using right now to write this post). What to say about XSS? As said Ashar: "They were there, they are and they will be!"

Ashar on stage

Ashar on stage

Ashar reviewed some example of XSS vulnerabilities a found in text editors. He received some money from bug bounty programs for this but he was also banned or his account disabled from some sites. Ashar explained step by step in a very didactic way how he successfully abuse so many websites which rely on third party libraries or code. He started with an XSS based on width:expression on IE7 and switched also to other browsers. What are the common injection points in WYSIWYG editors:

Ashar reviewed all of them, always with good examples. He also provided some nice slides which explain how to quickly found XSS using common browsers. The presentation ended with a question: "Why all WYSIWYG editors are vulnerables?". According to Ashar, the answer is based on two components: Transfert of responsibility and laziness. Developers think that it's up to the site owner to take care of data received by the client and webmeisters rely on 3rd party code that should block all such kind of attacks. Finally, some tips were given to efficiently block XSS attacks. To prove this, Ashar started a project and asked people to break into his application. As of today, 82K (!) attacks were executed against the webpage and none succeeded. A last message to developers: if XSS attacks are bad to block, don't forget to use httpOnly cookies to prevent them of being stolen!

The last half-day started with Erik Peterson who presented "Bringing a machete to the Amazon".

Erik on stage

Erik on stage

Forget all the *AAS abbreviations! From a single perspective: "Cloud like AWS is an operating system". It has memory, disk and allows you to run applications. Cloud infrastructure is code. Traditional applications are a small part of the whole system (Java, .Net, etc) and the majority of the system is provided by AWS. And like any application, after a few months, it can become a mess if not properly managed. Forklifting is also dangerous. Forklifting is the process of taking legacy data centre application and loading them into the cloud. This can be expensive and dangerous:

Emergent security: An individual component can be secure but once placed in the cloud, the system becomes insecure. Example: Internet weather - some datacenters can be subject to unpredictable, non-persistent or network latency issues. This is very similar to the DevOps concept. "In the cloud, the king of the jungle is the API". API keys are the key of your security. Impact?

API can bypass classic security controls: You have an IPS, FW? API can snapshot your VM, mouth snapshot on another VM and extract info. How to get access to API? Via Github of course! Search for "SECRET_ACCESS_KEY". What about an API honeypot? Your keys will be stolen in less than 60 mins! :) What about cloud metadata? They contain useful info like startup script and AWS access credentials. Not only AWS but all cloud providers have it (except Azure ;-). There is nothing wrong with metadata … as long as you are aware of them and protect them. Old vulnerabilities, new life thanks to the AWS cloud. Ex: CVE-77 (command injection). Control access to the API and restrict access based on IP but it does not solve the problem! Your bill is not an IDS : "Wow, I got a big bill, something wrong must happen" ;-) Implement API logging, by default it's off! Turn on CloudTrail and use Logstash (as example). DevOps culture tends to "fail open". Developers are new to the cloud. Their goal is "just to make it work". Leaking taks! Tags are very nice to keep information (ex: owner of the machine, contacts, …) but please don't put your password or API key inside tags! Back to the title of the presentation: Machete is a tool to:

Other tools that could be interesting:

Very nice presentation but the introduction to AWS cloud and the associated risks was a bit long (IMHO). I'd expect some nice demos of Erik's tool.

The next presentation was dedicated to the new OS X version. Version 10.10 called "Yosemite". Good synchronisation, it was just released yesterday. This versions was already available to developers (and security researchers). It was reviewed, from a security point of view by Ming-chieh Pan and Sung-ting Tsai

Sung-ting & Ming-chieh on stage

Sung-ting & Ming-chieh on stage

They analysed the changes implemented by Apple in its new version of their operating system and found some findings. They started with a review of the rubilyn root-kit publicly released 2 years ago. Then they reviewed how to installed (offensive) and detect (defensive) a root-kit on the new version of OS X. A good idea was to present all the examples (system calls) with their Windows version (most people have more knowledge of the Microsoft environment). The talk was very technical and above my knowledge, very difficult to follow but, according to a friend, it was good. Finally, they presented their tool called SSV-X ("System Virginity Verifier"), especially adapted to OS X.

And the second day finished for me with "Reflected file download - A new web attack vector" by Oren Hafif. After a funny introduction about himself, Oren explained in details what is RFD and what is behind this attack. The presentation focused on the objectives of RFD, understanding how it works. Both defenders and attackers are impacted: how to detect and report but how to prevent. calc;exe:

calc.exe, the security researcher's best friend

calc.exe, the security researcher's best friend

The attack is quite straight forward: A user clicks on a valid link, a malicious file got downloaded from google.com, the file executes immediately once clicked. The key in this attack is: how do we trust downloads and how do we trust websites? As example, we trust online banks websites because that have a lot of locks on the page, they use HTTPS, the url bar is green, etc… Four out of five people will trust a download based on the domain! Based on the Google autocomplete feature, Oren explained step by step how this attack works. Starting from a simple 'rfd' search string up to a 's;.setup.bat/?q=rfd"||calc||'. This attack also abuse of stupid browsers behaviour which allows files containing "install", "setup" or "update" in the filename! An advanced attack could be to use Powershell to download the rest of the payload. It will ask for admin rights but using the standard dialog box that people trust of course! Finally, Oren reviewed some ways to fix this issue:

In the mean time, Google fixed the issue but, according to Oren, there are tons of vulnerable websites online! Very nice presentation which, I'm sure, gave lot of ideas to the pentesters present in the room!

Next to the classic briefings, there was also an Arsenal session organized by Netpeas and Toolswatch with very interesting tools. Don't hesitate to have a look at them:

That's it for this edition of BlackHat! I only attached 25% of the scheduled talks and, in my selection, some were excellent, other less but a broad scope was covered. Two remarks about the organization: change your WiFi and catering providers ;-)

Game over!

Game over!

17 Oct 2014 8:27pm GMT

16 Oct 2014

feedPlanet Grep

Paul Cobbaut: space

It takes a small effort to keep up to date on space news. Here's a summary of some current space flights that I like.


New Horizons
In 2015 we will see Pluto (a dwarf planet) for the very first time. This is the best picture we have of Pluto today:


New Horizons should improve this picture gradually from February to August 2015, yeah!

Dawn
Remember Ceres, the dwarf planet between Mars and Jupiter. Only 900km accross, yet it could have more fresh water than planet Earth, and it holds about a third of the mass of the Asteroid belt. Dawn will give us a first look at Ceres in February 2015, yeah!


China to the Moon
Many people laugh with the Chinese space program, they shouldn't! They launched Chang'e 3 to the Moon in December 2013, and released a rover that is still operational today. Never mind that it stopped driving in January 2014, having a bunch of instruments operate for more than 10 months at -150 and +100 degrees Celcius is *amazing*.
Chang'e 4 will launch 23 October 2014 to fly to the Moon and back, testing return to Earth. Chang'e 5 will collect some rocks from the Moon in 2015 and fly them back to Earth. How long will it take before they send people ?
My guess is they won't just plant a flag, they will go to the Moon to do real long term science.


Elon Musk
Elon Musk is a man with a clear vision. He wants to put a million people on Mars as soon as possible. He is currently in charge of SpaceX (and also CEO of Tesla). They already had four or five flights to the International Space Station with their own rockets and their own spacecraft. My best guess is that they will have an unmanned Mars landing in about six years, and manned around 2025-ish.


There is more:
-Rosetta (circling a comet!) with Philae
-Juno

-the Chinese space station (construction from 2018 till 2022-ish)
-the American rovers on Mars
-lot's of satellites around Mars
-and the Voyager probes are still alive






16 Oct 2014 6:37pm GMT

Xavier Mertens: BlackHat Europe 2014 Wrap-Up Day #1

BlackHat EuropeBlackHat is back in Amsterdam and here is my wrap-up for the first day. It rained all my way to Amsterdam this morning but it will not prevent motivated people to join the Amsterdam RAI where is organised this 2014 edition of BlackHat Europe! They moved from the center of the city to a bigger conference center. Nice place, but far away from bars and restaurants. After the classic registration process and a nice breakfast, let's go with today's talks. As usual, Jeff Moss opened the conference with some facts about the event. Interesting: this year 50% of the audience is coming for the first time! Fresh blood is always good. People came from 68 different countries (eg Brazil, Surinam, Ukraine,..). Jeff's message was also: feel free to ask questions, participate and learn… The community is very important.

The day started with the Adi Shamir's keynote and some crypto. Ouch, crypto is hard to start a day but, after some theory, funny stuff was explained. Adi is currently the Borman Professor of Applied Mathematics at the Weizmann Institute of Science and his main area of research is cryptography. He is a co-inventor of the RSA algorithm. To resume, he's the "S" of RSA!

Adi on stage

Adi on stage

Today, writing paper about mathematical cryptanalysis is getting easier because we have many more targets to attack and more tools. But the definition of success also changed: it's not only finding the secret key but comparing output of a system with garbage. On the other side, it's also getting harder to get a practical impact: mathematical attacks had forced practitioners to dump cyphers. For years, we faced examples of attacks against crypto: DES, WEP, MD5/SHA1, etc… Then Adi came back to one of the simplest side-channel attack: power analysis. The goal is to check the fluctuations of power consumed by a device when it performs crypto operations. Can we use this technic to break the RSA scheme? Can we compare curves when coing mathematical operations and compare them. A paper was published at crypto2014: RSA key extraction by listening to computer. The question which then comes is how effective are tempest protections? Adi started to work on a new research: long range bi-directional communication with an air gapped computer system containing only untempered hardware. I played with this for the last few weeks. Imagine a nice building (pentagone) with many secrets. B. Schneier suggested to use an air-gap to protect from NSA. Really? First, the hardware solution is to install a mini-transmitter to the device. This requires just a one-time access to the device. Simple but very intrusive! And what about a software solution? In this case, again we need a one time access to the machine to plant a malware (via a USB stick, a phishing campaign, …). But once done, how to "talk" to the planted malware? That's the "holy grail" of cyber-attacks: How to communicate with this device in an inaccessible location, let's say 1200m away from the target. Challenge accepted by Adi! Using a simple scanner/printer and one flash light, Adi explained how we can send data to the printer by flashing the lights with specific sequences. The next step was to test the same from far away with a lazer. Adi wrote an application to program the laser to send messages. A possible attack scenario is the following: a malware initiate a scan at a certain time, get the scanned image and interpret it. But this can be very suspicious. Otherwise, let the victim scan a real document and use the lines from the edges! But what about ex-filtration of data? How to use the printer in the reserver direction? The attacker can pick up the scanning light emanating at night from the dark room. This is very slow. To improve the view to the printer, Adi used a drone to record lights from a higher position. In conclusion, they called the new technique "SCANGATE". Take care of your all-in-one printers and a as countermeasures, use black curtains or put the devices away from any external lights. This was a very nice keynote but practically the scenario is very difficult to implement in the real life but it makes you realize that attackers can have plenty of ideas!

BlackHat being a four-tracks conference, it is mandatory to make choices amongst the huge amount of interesting talks. The first one for me was a talks about Network Attached Storage (NAS) systems: "N.A.S.TY Systems that store network accessible shells" presented by Jacob Holcomb. A scaring fact to start: 100% of systems tested were vulnerable…And recently, Qnap was found to be vulnerable to shellshock. Jacob's proof-of-concept was to develop a self-replicating code across devices. Many people / companies use NAS, so the attack surface is very big. Some key players: QNAP, Seagate, Netgear, D-Link, Buffalo. Classic configuration services are telnet, ssh, http but they also have an unnecessary service: a link to the "cloud". 50% can be compromised without authentication and 22 CVE numbers were assigned by MITRE. Far worse than routers!

Jacob on stage

Jacob on stage

The testing methodology used by Jacob was classic: scanning, banner grabbing. investigating running services, analysing web applications, static code analysis and fuzzing. Different type of vulnerabilities were discovered: command injection, XSS, buffer overflow, lack of access control, info disclosure, backdoor, broken session management. Jacob gave some tips (countermeasures) for developers like to use the available API instead of calling system(). If you don't have an alternative, just allow expected commands, nothing else!

What about a mass e exploitation Jacob performed a demo of his N.A.S.Ty worm… He focused on 3 targets: D-LINK DNS345 - TRENDnet TN-200 / TN-2011T1 and WD MyCloud EX4 but others may be vulnerable too! How does it work?

  1. Scan for tcp/80
  2. Fingerprint
  3. Exploit
  4. Download & run the code
  5. Rinse and repeat

Jacob did a life demo of his worm against NAS located in the room. Once the worm infected a NAS, it kills itself and start scanning for other victimes from the newly infected NAS. Note that it does not check if the NAS is already infected. This means that more worms can run simultaneously and make some kind of DoS (slow response, bandwidth usage). A special mention to the project "hack routers and get paid" (see sohopelesslybroken.com. What about the remediation? For the vendors: transparent patch management, add security checks, apply security principles (like least privileges). For consumers: harden your devices! The worm part was interesting but we already knew that devices like NAS's have a very weak security maturity!

After a first coffee break, my heart was balancing between SmartMeters and the "Internet of Things" stuff. As I already attended presentations about SmartMeters in the past, I decided to follow Candid Wueest's talk, called "Quantified self - A path to self-enlightenment or just a security nightmare". Candid started with a definition of "quantified self". Is it a new buzzword? The goal of those technologies is to record everything about your life (sleep cycles, calories, steps, heart beats etc…) .

Candid on stage

Candid on stage

Candid put some focus on fitness devices like the Fitbit wristband. This device records information via sensors and share them with a computer (or mobile device). Data are also sent to the cloud to perform interesting statistics and share the data with the user's friends. Basically, if we introduce more data moves, we also increase the risks. (device, laptop/phone and finally cloud). The first issue reported by Candid was the unintentional data leak or the secret life of mobile applications. Amongst the different apps that were tests, they contacted in average 5 different domains and the winner contacted 14! Connections are used to exchange data with advertisement networks, the application provider, the OS provider, some social medias, etc. Always verify the default settings of your application. A bad example if Fitbit which add once the "sexual activity" visible to all by default! Then, passive information can also be leaked. If a publicity is displayed after the completion of an exercise, the traffic to the advertisement network can be used to detect when the user is doing some exercises. Health kits may contain PII ("Personal Identifiable Information") but 52% of the tested apps do not have a privacy policy. Your data are already analysed today. Candid gave the example of the earthquake in San Francisco where who was asleep at this time was analysed. Worse, 20% of tested apps send HTTP POST requests in clear text. And, if they use SSL, they accept self-signed certificates and don't check revocation lists. Some cloud applications are also very bad. Some allow users enumeration ("GET /api/user/xxx") others implement open relay via sendmail.php. The next part of talk was dedicated to devices using the Bluetooth low energy. It's possible to scan for interesting devices and learn some information. As a proof-of-concept, Candid developed a "Blueberry Pi" based on a Raspberry, a USB4 dongle and a portable battery. When scanning sport events, you can collect plenty of data. He also scanned the BlackHat attendees but detected only 8 devices. The conclusion of this research? Your digital footprint will be (is already?) everywhere. Tale care when using health devices, when not used, turn off Bluetooth or the device itself, keep them updated (which is also a challenge). Look for a vendor with a security policy. This was a nice talk with a different approach of the Internet of Things.

Next to the lunch, Dan Koretsky talked about VDI ("Virtual Desktop Infrastructure") with a presentation called "A practical attack against VDI solutions" and with more focus on mobile VDI solutions. What is VDI? The technology allows the user to have a remote desktop on any device: with three big advantages:

What are the threats with mobile VDI solutions? The first threat is directly related to "mRat" or "Mobile Remote Access Trojan" which record keys (key-logger). With the help of Checkpoint, lot of traffic was analysed and some interesting stats grabbed:

Compromised mobile devices stats

Compromised mobile devices stats

The second threat is to grab credentials locally on Android. The third one is screen scrapping. This can be done using an access to the clipboard (CTRL-A then CTRL-C) or screen recording. Finally, the fourth threat is playing a MitM attack. Nothing fancy in this presentation, nothing new, we already know that a solution like VDI is good as long as the end-point is not c compromised Finally, the last five minutes were more marketing with details about the solution developed by Dan's company.

In a short presentation, Sergej Schumilo and Ralf Spennenberg presented their research called "Don't trust your USB" or how to find bugs in USB device drivers? Do you remember Teensy? This small USB device was able to compromise a device by simulating a keyboard and sending keystrokes to the victim. But what's the new motivation? To compromise a system via the USB bus. This research was done using massive usage of virtual machines with systematic and comprehensive fuzzing. The talk explained how to perform this task at a very high performance rate.

My next choice was "How I hacked your ATM with friend's Raspberry Pi" presented by Alexey Osipov and Olga Kochtova. The topic looked interesting with a new way to use a Raspberry Pi computer. The presentation started with a small history of ATM's. Did you know that the first ATM was installed in 1967 by Barclay's bank? If at the beginning it was not seen as a revolution, today, we could not live without an ATM close to us to get some cash! That's also why ATM's are nice targets: they contain money.

Alexey & Olga on stage

Alexey & Olga on stage

Then the speakers explained their motivations behind this research? Banks are curious! Usually, the attack scenario starts with a malware injected into the ATM thanks to a physical access. It is injected using an USB stick or a CDROM. The most know attack is the one performed by Barnaby Jack "ATM Jackpotting". They are also physical attacks (skimmers and pin readers). But, how hard is it to get inside an ATM? The ATM has two major zones: a "service" zone where maintenance can be performed and where the computer is installed and the "safe" zone where is stored the money. Usually, the service zone is protected by a plastic cover with a single lock. The safe zone is made of steel and concrete with rotary code or electronic locks and two types of locks. The next part of the talk was a description of the attack using a Raspberry Pi connected to the computer and remotely accessible. Once access to the ATM, a Raspberry can be installed connected to the USB bus (+ battery + wifi). They briefly explained how the attack was performed but with not many details. The presentation made during the OWASP Belgium chapter in May was much more complete! Conclusion of this talk: The service zone is important and must be properly secured, current methods of protection is not enough. Here again, nothing brand new…

If I was a bit disappointed by the presentation that I followed in the afternoon, the last one of the day was the best one (IMHO). The last talk was "Firmware.RE - Firmware unpacking, analysis and vulnerability discovery as a service" by Jonas Zaddach.

Jonas on stage

Jonas on stage

The idea of this research started with another fact: Embedded systems are everywhere! They can do a lot of things but it's even more funny to make them talk to each others and even more to the Internet! (IoT). The classic type of embedded systems are routers, printers or VoIP systems. Jonas reviewed some nightmare stories (backdoors for routers and abusing PostScript with printers). And many many other devices… The problem is that analysis all those devices requires a lot of time. This can't be performed manually. The idea of the research was to make a large scale analysis to see if embedded systems suffer of the same vulnerabilities. But the problems with large scale analysis are:

How to automate this?

The big advantage is that the analysis is non intrusive, it can be performed online and it is very scalable but mainly challenges remain! The first challenge is how to get the firmware? They are multiple sources and ways to get them. There was no large scale firmware datasets available. They downloaded lot of firmwares but some of them were not available. The second challenge was the firmware identification: How to detect firmware across thousands of files? How to reliability unpack and learn formats? Example: upgrade a printer via a PS file, how to detect it as a firmware? The architecture they developed is based on a crawler which downloads and stores firmware in a db. The firmware is sent to the cloud application for analysis (unpack, static analysis, fuzzy hashing);. A password hash cracker is also available to crack found passwords. Everything is managed by a web interface. As of today, the crawler already collected 759K files (1.8TB) From those files, 1.7M files were extracted! What were the common issues found:

The analysis system will be available to everybody and do not hesitate to submit your firmware. The tool is available at the following address: www.firmware.re (It will be publicly available soon after the conference). The first day was closed by a reception in the business corner where people did some networking. See you tomorrow for the second day!

16 Oct 2014 5:43pm GMT

Dries Buytaert: Acquia a leader in Gartner Magic Quadrant for Web Content Management

Topic:
Drupal
Acquia

You might have read that Acquia was named a leader in the Gartner Magic Quadrant for Web Content Management.

It's easy to underestimate the importance of this recognition for Acquia, and by extension for Drupal. If you want to find a good coffee place, you use Yelp. If you want to find a nice hotel in New York, you use TripAdvisor. Similarly, if a CIO wants to spend $250,000 or more on enterprise software, they consult an analyst firm like Gartner. So think of Gartner as "Yelp for the enterprise".

Many companies create their technology shortlist based on the leader quadrant. That means that Drupal has not been considered as an option for hundreds of evaluations for large projects that have taken place in the past couple of years. Being named a leader alongside companies like Adobe, HP, IBM, Oracle, and Sitecore will encourage more organizations to evaluate Drupal. More organizations evaluating Drupal should benefit the Drupal ecosystem and the development of Drupal.

16 Oct 2014 12:23pm GMT

15 Oct 2014

feedPlanet Grep

Wim Coekaerts: Oracle Linux Containers and docker and the magic of ksplice becomes even more exciting

So, in my previous blogs I talked about the value of ksplice for applying updates and keeping your system current. Typical use case has been on physical servers running some application or in a VM running some application and it all keeps every system pretty isolated. Downtime on a single server is often, by a system admin, seen as no big deal, downtime of a bunch of servers because of a multi-tier application that goes down, however, by the application owner is a pretty big deal and can take some scheduling (and cost) to agree on downtime for reboots. If you have to patch a database server and reboot it, then you first have to bring down your application servers, then bring down the database, then reboot the server. So that 'single reboot' from a sysadmin point of view, is a nightmare and long downtime and potential risk for the application owner that has an application across many servers. Do keep that complexity in mind...

Anyway, we introduced support for Linux containers a year ago, back with Oracle Linux 6 and the release of UEKr3, no need to wait for OL7 (or rhel7...) we 've been doing this for almost a year and it was possible without having to reinstall servers and go from 6 to 7 and to systemd and have major changes. Just simply updating an OL6 environment and a reboot into uek3 and you were good to go, a year ago. So... with containers (and docker is very similar here)... you run one kernel. As opposed to running VMs where each VM is a completely isolated virtual environment with their own kernel and you can live migrate the VMs to another host if you need to update/patch the host, etc... So you run an OS that supports containers, you deploy your apps and isolate them nicely in a container each... and now you need to apply kernel security updates... well... that means, the host kernel on which all these containers environments are running... oops. my reboot now brings down a ton of containers. Well, not with ksplice. You run uptrack-update in the main environment and it nicely, online, without affecting your running apps in their containers or docker environments, updates to the latest fixes and CVEs. Done. No downtime, no scheduling issues with your application users... all set.

Supported.. since a year ago. Stable.

15 Oct 2014 9:27pm GMT

Wim Coekaerts: The magic of ksplice continues...

My previous blog talked about some cool use cases of ksplice and I used Oracle Linux 5 as the example. In this blog entry I just wanted to add Oracle Linux 6 to it. For Oracle Linux 6, we go all the way back to the GA date of OL6. 2.6.32-71.el6 build date Wed Dec 15 12:36:54 EST 2010. And we support ksplice online updates from that point on, up to today. The same model, you can be on any Oracle Linux 6 kernel, an errata update, a specific kernel from an update release like 6.1,... 6.5,... and get current with CVEs and critical fixes from then on. After running uptrack-upgrade, I get to be current : 2.6.32-431.29.2.el6

I ran out of xterm buffer space ;-) so starting with the Installing part of the output of uptrack-upgrade -y :

Installing [1y0hqxq7] Invalid memory access in dynamic debug entry listing.
Installing [1f9nec9b] Clear garbage data on the kernel stack when handling signals.
Installing [lrh0cfph] Reduce usage of reserved percpu memory.
Installing [uo1fmxxr] CVE-2010-2962: Privilege escalation in i915 pread/pwrite ioctls.
Installing [11ofaaud] CVE-2010-3084: Buffer overflow in ETHTOOL_GRXCLSRLALL command.
Installing [8u4favcu] CVE-2010-3301: Privilege escalation in 32-bit syscall entry via ptrace.
Installing [ayk01zir] CVE-2010-3432: Remote denial of service vulnerability in SCTP.
Installing [p1o8wy3o] CVE-2010-3442: Heap corruption vulnerability in ALSA core.
Installing [r1mlwooa] CVE-2010-3705: Remote memory corruption in SCTP HMAC handling.
Installing [584zm6x2] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.
Installing [vt03uggp] CVE-2010-2955: Information leak in wireless extensions.
Installing [7rzgltfi] CVE-2010-3079: NULL pointer dereference in ftrace.
Installing [oyaovezn] CVE-2010-3437: Information leak in pktcdvd driver.
Installing [70cjk1y6] CVE-2010-3698: Denial of service vulnerability in KVM host.
Installing [9dm5foy9] CVE-2010-3081: Privilege escalation through stack underflow in compat.
Installing [mhsn7n2j] Memory corruption during KSM swapping.
Installing [kn5l6sh5] KVM guest crashes due to unsupported model-specific registers.
Installing [xmx98rz9] Erroneous merge of block write with block discard request.
Installing [23nlxpse] CVE-2010-2803: Information leak in drm subsystem.
Installing [mo9lbpsi] Memory leak in DRM buffer object LRU list handling.
Installing [91hrmhbr] Memory leak in GEM drm_vma_entry handling.
Installing [apryc0uo] CVE-2010-3865: Integer overflow in RDS rdma page counting.
Installing [ur02tbrc] CVE-2010-4160: Privilege escalation in PPP over L2TP.
Installing [5o3hvdgy] CVE-2010-4263: NULL pointer dereference in igb network driver.
Installing [a3z3nda1] CVE-2010-3477: Information leak in tcf_act_police_dump.
Installing [lsd1hzvx] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.
Installing [z92iokkb] CVE-2010-3080: Privilege escalation in ALSA sound system OSS emulation.
Installing [23yh7u1i] CVE-2010-3861: Information leak in ETHTOOL_GRXCLSRLALL ioctl.
Installing [jxtltpyu] CVE-2010-4163 and CVE-2010-4668: Kernel panic in block subsystem.
Installing [5fuyrpx3] CVE-2010-4162: Integer overflow in block I/O subsystem.
Installing [ylkgl75m] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
Installing [ppawlabm] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
Installing [q4n7w8t6] CVE-2010-3067: Information leak in sys_io_submit.
Installing [0w2s15ix] CVE-2010-3298: Information leak in hso_get_count().
Installing [dfi8ncbj] CVE-2010-3876: Kernel information leak in packet subsystem.
Installing [ahrdouix] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Installing [wvbjfli8] CVE-2010-4074: Information leak in USB Moschip 7720/7840/7820 serial drivers.
Installing [pkhcqtro] CVE-2010-4075: Kernel information leak in serial subsystem.
Installing [cwksn40u] CVE-2010-4077: Kernel information leak in nozomi driver.
Installing [q4d3smds] CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.
Installing [z4duwd7q] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
Installing [eajqjo74] CVE-2010-4082: Kernel information leak in VIAFB_GET_INFO.
Installing [6hrf2a3e] CVE-2010-4083: Information leak in System V IPC.
Installing [3xm2ly3f] CVE-2010-4158: Kernel information leak in socket filters.
Installing [5y2oasdw] CVE-2010-4525: Information leak in KVM VCPU events ioctl.
Installing [35e4qfr6] CVE-2010-2492: Privilege escalation in eCryptfs.
Installing [rr12rtq3] Data corruption due to bad flags in break_lease and may_open.
Installing [20cz9gp7] Kernel oops in network neighbour update.
Installing [m650djkx] Deadlock on fsync during dm device resize.
Installing [c19gus65] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
Installing [3e86rex1] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.
Installing [cxb3m3ae] CVE-2010-4165: Denial of service in TCP from user MSS.
Installing [dii4wm64] CVE-2010-4169: Use-after-free bug in mprotect system call.
Installing [e465fr49] CVE-2010-4243: Denial of service due to wrong execve memory accounting.
Installing [5s3fe1cn] Mitigate denial of service attacks with large argument lists.
Installing [j8jwyth1] Memory corruption in multipath deactivation queueing.
Installing [5qkkyd5m] Kernel panic in network bonding on ARP receipt.
Installing [f9j8s6u6] Failure to recover NFSv4 client state on server reboot.
Installing [qa379ag5] CVE-2011-0714: Remote denial of service in RPC server sockets.
Installing [12q8wuvd] CVE-2011-0521: Buffer underflow vulnerability in av7110 driver.
Installing [tm68xsph] CVE-2011-0695: Remote denial of service in InfiniBand setup.
Installing [fk2zg5ec] CVE-2010-4656: Buffer overflow in I/O-Warrior USB driver.
Installing [bcfvwcux] CVE-2011-0716: Memory corruption in IGMP bridge snooping.
Installing [smkv0oja] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.
Installing [3eu2kr7i] CVE-2010-3296: Kernel information leak in cxgb driver.
Installing [3skmaxct] CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.
Installing [xuxi8p7r] CVE-2010-4648: Ineffective countermeasures in Orinoco wireless driver.
Installing [7npiqvil] CVE-2010-4655: Information leak in ETHTOOL_GREGS ioctl.
Installing [en0luyx8] Denial of service on empty virtio_console write.
Installing [yv0cumoa] Denial of service in r8169 receive queue handling.
Installing [j6vlp89e] Failure of virtio_net device on guest low-memory condition.
Installing [q53j90kj] KVM guest crash due to stale memory on migration.
Installing [ri498cnm] KVM guest crash due to unblocked NMIs on STI instruction.
Installing [tlrgiz2i] CVE-2010-4526: Remote denial of service vulnerability in SCTP.
Installing [9eta98wf] Use-after-free in CIFS session management.
Installing [19wu4xr4] CVE-2011-0712: Buffer overflows in caiaq driver.
Installing [3cxo6wrf] CVE-2011-1079: Denial of service in Bluetooth BNEP.
Installing [kzieu2je] CVE-2011-1080: Information leak in netfilter.
Installing [ekzp14u9] CVE-2010-4258: Failure to revert address limit override after oops.
Installing [jd3cmfll] CVE-2011-0006: Unhandled error condition when adding security rules.
Installing [jk52g3fx] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.
Installing [z2ne1xi4] CVE-2011-1013: Signedness error in drm.
Installing [gb4ntots] Cache allocation bug in DCCP.
Installing [pe4f00pm] CVE-2011-1093: NULL pointer dereference in DCCP.
Installing [yypibd1k] CVE-2011-1573: Denial of service in SCTP.
Installing [02al7nxj] CVE-2011-0726: Address space leakage through /proc/pid/stat.
Installing [00ahpz3z] CVE-2011-0711: Information leak in XFS filesystem.
Installing [iczdh30p] CVE-2010-4250: Reference count leak in inotify failure path.
Installing [ea8bohrp] Infinite loop in tty auditing.
Installing [85iuyyyj] Buffer overflow in iptables CLUSTERIP target.
Installing [8o0892h3] CVE-2010-4565: Information leak in Broadcast Manager CAN protocol.
Installing [p3ck0dr6] CVE-2011-1019: Module loading restriction bypass with CAP_NET_ADMIN.
Installing [w8sa7qie] CVE-2011-1016: Privilege escalation in radeon GPU driver.
Installing [aqnhua0z] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.
Installing [mla0f8wz] CVE-2011-1082: Denial of service in epoll.
Installing [5dbkxjue] CVE-2011-1090: Denial of service in NFSv4 client.
Installing [4qj7c7qc] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.
Installing [3vf1zjzf] CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Installing [a03rwxbz] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Installing [7z04dctw] Incorrect interrupt handling on down e1000 interface.
Installing [ep319ryq] CVE-2011-1770: Remote denial of service in DCCP options parsing.
Installing [qp7al6tc] CVE-2010-3858: Denial of service vulnerability with large argument lists.
Installing [85n0mc4q] CVE-2011-1598: Denial of service in CAN/BCM protocol.
Installing [z8t1hsjb] CVE-2011-1748: Denial of service in CAN raw sockets.
Installing [pvtdn3yd] CVE-2011-1767: Incorrect initialization order in ip_gre.
Installing [xughs2jb] CVE-2011-1768: Incorrect initialization order in IP tunnel protocols.
Installing [k6a6bqyr] CVE-2011-2479: Denial of service with transparent hugepages and /dev/zero.
Installing [pmkvbrcc] CVE-2011-1776: Missing boundary checks in EFI partition table parsing.
Installing [pb9pjnnn] CVE-2011-1182: Signal spoofing in rt_sigqueueinfo.
Installing [mnpd8mip] CVE-2011-1593: Missing bounds check in proc filesystem.
Installing [d6vuea6w] CVE-2011-2213: Arbitrary code injection bug in IPv4 subsystem.
Installing [zmfowuqn] CVE-2011-2491: Local denial of service in NLM subsystem.
Installing [402w3brr] CVE-2011-2492: Information leak in bluetooth implementation.
Installing [vi7qxs20] CVE-2011-2497: Buffer overflow in the Bluetooth subsystem.
Installing [ql0oxrhk] CVE-2011-2517: Buffer overflow in nl80211 driver.
Installing [0xcbigxp] CVE-2011-1576: Denial of service with VLAN packets and GRO.
Installing [127f4d1u] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.
Installing [w72wz6f4] CVE-2011-2495: Information leak in /proc/PID/io.
Installing [c8v0sk8t] CVE-2011-1160: Information leak in tpm driver.
Installing [1nt1dahj] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Installing [bxqvqvef] CVE-2011-1746: Integer overflow in agp_allocate_memory.
Installing [d4m9k310] CVE-2011-2484: Denial of service in taskstats subsystem.
Installing [3vlbyy24] CVE-2011-2496: Local denial of service in mremap().
Installing [e0lkqz3i] CVE-2011-2723: Remote denial of service vulnerability in gro.
Installing [99r3sbjg] CVE-2011-2898: Information leak in packet subsystem
Installing [3ev4sw2b] CVE-2011-2918: Denial of service in event overflows in perf.
Installing [ll9j5877] CVE-2011-1833: Information disclosure in eCryptfs.
Installing [ww2gv7iv] CVE-2011-3359: Denial of service in Broadcom 43xx wireless driver.
Installing [9x0ub4l1] CVE-2011-3363: Denial of service in CIFS via malicious DFS referrals.
Installing [ggvpdbug] CVE-2011-3188: Weak TCP sequence number generation.
Installing [z4pt0sai] CVE-2011-1577: Denial of service in GPT partition handling.
Installing [omnzxxxr] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.
Installing [o4xkg2el] CVE-2011-3191: Privilege escalation in CIFS directory reading.
Installing [e2eyyaf9] CVE-2011-1162: Information leak in TPM driver.
Installing [1fmgtd1b] CVE-2011-4326: Denial of service in IPv6 UDP Fragmentation Offload.
Installing [ldjwxwd5] CVE-2011-2699: Predictable IPv6 fragment identification numbers.
Installing [tnhvync5] CVE-2011-2494: Information leak in task/process statistics.
Installing [gi4te905] CVE-2011-3593: Denial of service in VLAN with priority tagged frames.
Installing [h1wiua6s] CVE-2011-4110: Denial of service in kernel key management facilities.
Installing [4yrxpwih] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.
Installing [gz5jfzi3] CVE-2011-1020: Missing access restrictions in /proc subsystem.
Installing [o31erbbr] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
Installing [yqaa1zsp] Arithmetic overflow in clock source calculations.
Installing [vxfxrncu] CVE-2011-4077: Buffer overflow in xfs_readlink.
Installing [rnvy1bow] CVE-2011-4081: NULL pointer dereference in GHASH cryptographic algorithm.
Installing [5bokjzmm] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Installing [q7t7hls4] CVE-2011-4347: Denial of service in KVM device assignment.
Installing [wmeoffm9] CVE-2011-4622: NULL pointer deference in KVM interval timer emulation.
Installing [gu3picnz] CVE-2012-0038: In-memory corruption in XFS ACL processing.
Installing [v2td9qse] CVE-2012-0045: Denial of service in KVM system call emulation.
Installing [n2xairv0] CVE-2012-0879: Denial of service in CLONE_IO.
Installing [2k2kq44h] Fix crash on discard in the software RAID driver.
Installing [i244mlk5] CVE-2012-1097: NULL pointer dereference in the ptrace subsystem.
Installing [2anjx00z] CVE-2012-1090: Denial of service in the CIFS filesystem reference counting.
Installing [3ujb9j7q] Inode corruption in XFS inode lookup.
Installing [01x2k6jv] Denial of service due to race condition in the scheduler subsystem.
Installing [hfh1ug4u] CVE-2011-4086: Denial of service in journaling block device.
Installing [4wb0i9tz] CVE-2012-1601: Denial of service in KVM VCPU creation.
Installing [aqut3qai] CVE-2012-0044: Integer overflow and memory corruption in DRM CRTC support.
Installing [0zkt2e47] CVE-2012-2123: Privilege escalation when assigning permissions using fcaps.
Installing [pe6u1nwx] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.
Installing [jqtlake1] CVE-2012-2121: Memory leak in KVM device assignment.
Installing [u6ys5804] CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler.
Installing [lr9cjz2p] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.
Installing [nscqru85] CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service.
Installing [j01o1nco] ext4 filesystem corruption on fallocate.
Installing [p37lmn34] CVE-2012-2745: Denial-of-service in kernel key management.
Installing [alprvnsv] CVE-2012-2744: Remote denial-of-service in IPv6 connection tracking.
Installing [m06ws6vc] Unreliable futexes with read-only shared mappings.
Installing [b7mpy2k1] CVE-2011-1078: Information leak in Bluetooth SCO link driver.
Installing [pywfzhvz] CVE-2012-2384: Integer overflow in i915 execution buffer.
Installing [2ibdnvmo] Livelock due to invalid locking strategy when adding a leap-second.
Installing [oixf5hkj] CVE-2012-2384: Additional fix for integer overflow in i915 execution buffer.
Installing [m4x7vdnl] CVE-2012-2390: Memory leak in hugetlbfs mmap() failure.
Installing [o2a3jmox] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Installing [u3qpyl86] CVE-2012-3430: kernel information leak in RDS sockets.
Installing [wr1of5oe] CVE-2012-3552: Denial-of-service in IP options handling.
Installing [y40wlmcw] CVE-2012-3412: Remote denial of service through TCP MSS option in SFC NIC.
Installing [dxshabnc] Use-after-free in USB.
Installing [aovf4isj] Race condition in SUNRPC.
Installing [trz9wa6p] CVE-2012-3400: Buffer overflow in UDF parsing.
Installing [062ge0uf] CVE-2012-3511: Use-after-free due to race condition in madvise.
Installing [tu585kp5] CVE-2012-1568: A predictable base address with shared libraries and ASLR.
Installing [fky5li3t] CVE-2012-2133: Use-after-free in hugetlbfs quota handling.
Installing [xtpg99y6] CVE-2012-5517: NULL pointer dereference in memory hotplug.
Installing [ffehzdo8] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.
Installing [u0d6ztl3] CVE-2012-4565: Divide by zero in TCP congestion control Algorithm.
Installing [7au7wp12] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.
Installing [80vrmgyk] CVE-2012-4530: Kernel information leak in binfmt execution.
Installing [uytq1dk0] CVE-2012-4398: Denial-of-service in kernel module loading.
Installing [3c5erej0] CVE-2013-0310: NULL pointer dereference in CIPSO socket options.
Installing [j8x8j89y] CVE-2013-0311: Privilege escalation in vhost descriptor management.
Installing [mkibg12j] CVE-2012-4508: Stale data exposure in ext4.
Installing [daw7s3mo] CVE-2012-4542: SCSI command filter does not restrict access to read-only devices.
Installing [nqlo7yy2] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.
Installing [l6zf9mec] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.
Installing [r88p6prz] CVE-2013-1798: Information leak in KVM APIC driver.
Installing [tquaqo7o] CVE-2013-1792: Denial-of-service in user keyring management.
Installing [ao71x17l] CVE-2012-6537: Kernel information leaks in network transformation subsystem.
Installing [875umolk] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.
Installing [4dr93r2j] CVE-2013-1827: Denial-of-service in DCCP socket options.
Installing [cdrfdlrt] CVE-2013-0349: Kernel information leak in Bluetooth HIDP support.
Installing [9j8xk8dz] CVE-2012-6546: Information leak in ATM sockets.
Installing [4oeurjvw] CVE-2013-1767: Use-after-free in tmpfs mempolicy remount.
Installing [yhprsmoc] CVE-2013-1773: Heap buffer overflow in VFAT Unicode handling.
Installing [amh400jp] CVE-2012-6547: Kernel stack leak from TUN ioctls.
Installing [532069fc] CVE-2013-1774: NULL pointer dereference in USB Inside Out Edgeport serial driver.
Installing [uaslykxk] CVE-2013-2017: Double free in Virtual Ethernet Tunnel driver (veth).
Installing [1vegmzxj] CVE-2013-1943: Local privilege escalation in KVM memory mappings.
Installing [wddz9qxt] CVE-2012-6548: Information leak in UDF export.
Installing [d51dm2vs] CVE-2013-0914: Information leak in signal handlers.
Installing [sxb5x0pd] CVE-2013-2852: Invalid format string usage in Broadcom B43 wireless driver.
Installing [vzlh2p9r] CVE-2013-3222: Kernel stack information leak in ATM sockets.
Installing [l1wlz1f1] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.
Installing [m0y7j4ra] CVE-2013-3225: Kernel stack information leak in Bluetooth rfcomm.
Installing [3m5ckvvm] CVE-2013-3301: NULL pointer dereference in tracing sysfs files.
Installing [o44ucnfs] CVE-2013-2634, 2635: Kernel leak in data center bridging and netlink.
Installing [0m3a5xq8] CVE-2013-2128: Denial of service in TCP splice.
Installing [2fg4nowt] CVE-2013-2232: Memory corruption in IPv6 routing cache.
Installing [m4a0xb93] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.
Installing [pqfoprcp] CVE-2013-2237: Information leak on IPSec key socket.
Installing [i1ha5yp7] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.
Installing [aqfegdn1] CVE-2013-4299: Information leak in device mapper persistent snapshots.
Installing [oojymn3l] CVE-2013-4387: Memory corruption in IPv6 UDP fragmentation offload.
Installing [kb7zovzd] CVE-2013-0343: Denial of service in IPv6 privacy extensions.
Installing [7ew8svwd] Off-by-one error causes reduced entropy in kernel PRNG.
Installing [v3hs5diu] CVE-2013-2888: Memory corruption in Human Input Device processing.
Installing [aew2tmdl] CVE-2013-2889: Memory corruption in Zeroplus HID driver.
Installing [ox2wqeva] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.
Installing [w9rhkfub] CVE-2013-1928: Kernel information leak in compat_ioctl/VIDEO_SET_SPU_PALETTE.
Installing [r55nqyci] CVE-2013-2164: Kernel information leak in the CDROM driver.
Installing [1vgf62zi] CVE-2013-2234: Information leak in IPsec key management.
Installing [hc532irb] CVE-2013-2851: Format string vulnerability is software RAID device names.
Installing [e129vh8h] CVE-2013-4592: Denial-of-service in KVM IOMMU mappings.
Installing [9wzwcaep] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.
Installing [ufm8ladu] CVE-2013-4470: Memory corruption in IPv4 and IPv6 networking corking with UFO.
Installing [5rh9jkmi] CVE-2013-6367: Divide-by-zero in KVM LAPIC.
Installing [ur8700aj] CVE-2013-6368: Memory corruption in KVM virtual APIC accesses.
Installing [nyg2e0m1] Error in the tag insertion logic of the bonding network device.
Installing [1ekik21n] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.
Installing [m8de4fmg] CVE-2013-7263, CVE-2013-7265: Information leak in IPv4, IPv6 and PhoNet socket recvmsg.
Installing [p4ufjdr0] CVE-2014-0101: NULL pointer dereference in SCTP protocol.
Installing [o86dh6ww] Use-after-free in EDAC Intel E752X driver.
Installing [b2h8hej4] Deadlock in XFS filesystem when removing a inode from namespace.
Installing [nvhmnvp6] Memory leak in GFS2 filesystem for files with short lifespan.
Installing [7brqevk0] CVE-2013-1860: Buffer overflow in Wireless Device Management driver.
Installing [4nh0vuhi] Missing check in selinux for IPSec TCP SYN-ACK packets.
Installing [zvvk1k2q] Logic error in selinux when checking permissions on recv socket.
Installing [2mxh0jvn] CVE-2013-(726[6789], 727[01], 322[89], 3231): Information leaks in recvmsg.
Installing [1r5tw9sm] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.
Installing [z4k7xryp] CVE-2014-2523: Remote crash via DCCP conntrack.
Installing [pi89wa2j] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.
Installing [b4x8o44g] CVE-2014-0196: Pseudo TTY device write buffer handling race.
Installing [s8s7tfsm] CVE-2014-3153: Local privilege escalation in futex requeueing.
Installing [bqk9mi1j] CVE-2013-6378: Denial-of-service in Marvell 8xxx Libertas WLAN driver.
Installing [rokmr7ey] CVE-2014-1874: Denial-of-service in SELinux on empty security context.
Installing [hxq9cdju] CVE-2014-0203: Memory corruption on listing procfs symbolic links.
Installing [n6kpf53d] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.
Installing [pbab6ibn] CVE-2014-4943: Privilege escalation in PPP over L2TP setsockopt/getsockopt.
Installing [8n932y6h] CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.
Installing [yfh1rar2] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.
Installing [5z4hhyp3] CVE-2013-7339: NULL pointer dereference in RDS socket binding.
Installing [1vpc7i76] CVE-2012-6647: NULL pointer dereference in non-pi futexes.
Installing [ruu6bc4r] CVE-2014-3144, CVE-2014-3145: Multiple local denial of service vulnerabilities in netlink.
Installing [hgeqfh2x] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.
Installing [345v5a2z] CVE-2014-4667: Denial-of-service in SCTP stack when unpacking a COOKIE_ECHO chunk.
Installing [92st5y9o] CVE-2014-0205: Use-after-free in futex refcounting.
Your kernel is fully up to date.
Effective kernel version is 2.6.32-431.29.2.el6

real    1m26.960s
user    0m39.562s
sys     0m34.806s

And now, 1min 27seconds for 267 patches. both CVEs and critical fixes...

15 Oct 2014 9:15pm GMT

Wim Coekaerts: The magic of ksplice

I love talking about Oracle Ksplice and how cool a technology and feature it is. Whenever I explain to customers how much they can do with it, they often just can't believe the capabilities until I show them, in a matter of literally 5 seconds that it actually really -just works-.

During Oracle OpenWorld, we talked about it a lot, of course, and I wanted to show you how far back these ksplice updates can go. How much flexibility it gives a system administrator in terms of which kernel to use, how easy and fast it is, etc...

One of the main advantages of the ksplice technology is the ability for us to build these updates for many, many, yes many,... kernels and have a highly automated and scalable build infrastructure. When we publish a ksplice update, we build the update for -every kernel errata- released since the first kernel for that given major distribution release we started to support. What does this mean? Well, in the case of Oracle Linux 5, we currently support ksplice updates starting with Oracle Linux 5 update 4's kernel. The base-kernel being the Red Hat Compatible kernel : 2.6.18-164.el5 built, Thu Sep 3 04:15:13 EDT 2009. Yes, you read that right, September 2009. So during the lifetime of Oracle Linux 5, starting with that kernel, we publish ksplice updates for every kernel since then to today (and forward, of course). So no matter what errata kernel you are on, since -164, or major Oracle Linux 5 release, ksplice updates released after that date will be available for all those kernels. A simple uptrack-upgrade will take that running version up to the latest updates. While the main focus of the ksplice online updates is around CVEs, we also add critical fixes to it as well, so it's a combination of both.

So back to OL5.4. running uname shows 2.6.18-164.el5. After uptrack-upgrade -y it will say 2.6.18-398.el5 (which by the way is the latest kernel for OL5 for 2.6.18). You can see the output below, you can also see how many 'minutes' it took, without reboot, all current and active right away, and you can follow the timeframe by looking at the year right behind CVE. You will see CVEs from 2009, 2010, 2011, 2012, 2013 and 2014. Completely current.

Now, this can be done on a running system, to install ksplice and start using it, you don't need to reboot, just install the uptrack tools and you're good to go. You can be current with CVEs and critical bugs without rebooting for years. You can be current, even though you run an older update release of Oracle Linux, and you are not required to take new kernels with potentially (in the RHCK case) new features backported, introducing new code beyond just bugfixes, introduce new device drivers, which on a system that's stable, you don't necessarily want or need. So it's always good to update to newer kernels when you get new hardware and you need new device drivers, but for existing stable production systems, you don't really want or need that, nor do you necessarily need to get stuff from new kernels backported into older versions (again, in particular in the RHCK case) which will introduce a lot of change, I will show you a lines of code change in another blog entry. ksplice let's you stick with an older version, yet, anything critical and CVE related will be there for you and this for any errata kernel you start with since, in the OL5 case, update 4... Not just one update earlier, or but any kernel at any point in time.

If you do have periodic scheduled reboots, fine, install the kernel rpms so that the next time you reboot, it boots into the latest kernel, if you want, but you don't have to. You have complete flexibility if and when you need it.

I hope that the output of this and a follow up blog I will do on OL6 as a similar example, shows how scalable this is, how much use this has had, how many updates we have done and can do, how complex these updates are (not just a one liner change in some file) not just a one off for one customer case but scalable. Also, with tons of checks in place so that it works for kernel modules, so that it won't lock up your box, we validate that it's the right kernel, that these updates are safe to apply, etc, etc.. proven, 7+ years old technology. And completely supported by us. You can run your database or middleware software and run uptrack-upgrade while it's up and running and humming along... perfectly OK.

time uptrack-upgrade -y
The following steps will be taken:
Install [v5267zuo] Clear garbage data on the kernel stack when handling signals.
Install [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.
Install [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.
Install [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.
Install [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.
Install [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.
Install [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.
Install [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.
Install [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.
Install [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.
Install [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.
Install [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.
Install [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6
Install [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.
Install [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.
Install [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.
Install [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().
Install [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.
Install [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.
Install [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.
Install [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.
Install [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.
Install [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.
Install [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.
Install [qdlkztzx] Kernel crash forwarding network traffic.
Install [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.
Install [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.
Install [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pages
Install [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.
Install [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.
Install [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.
Install [xem0m4sg] Floating point state corruption after signal.
Install [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.
Install [3ulklysv] CVE-2010-0307: Denial of service on amd64
Install [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 server
Install [trws48lp] CVE-2010-1087: Oops when truncating a file in NFS
Install [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinks
Install [gmqqylxv] CVE-2010-1187: Denial of service in TIPC
Install [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremap
Install [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTP
Install [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruption
Install [l5qljcxc] CVE-2010-1437: Privilege escalation in key management
Install [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2
Install [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.
Install [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.
Install [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.
Install [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.
Install [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.
Install [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.
Install [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.
Install [59car2zc] CVE-2010-2798: Denial of service in GFS2.
Install [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.
Install [5mgd1si0] Improved fix to CVE-2010-1173.
Install [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.
Install [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.
Install [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.
Install [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.
Install [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.
Install [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.
Install [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.
Install [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.
Install [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.
Install [ff1wrijq] Buffer overflow in icmpmsg_put.
Install [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.
Install [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.
Install [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.
Install [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.
Install [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.
Install [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
Install [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
Install [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.
Install [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
Install [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.
Install [usukkznh] Mitigate denial of service attacks with large argument lists.
Install [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.
Install [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.
Install [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.
Install [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.
Install [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Install [hnbz3ppf] Integer overflow in sys_remap_file_pages.
Install [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.
Install [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.
Install [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
Install [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.
Install [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.
Install [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.
Install [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.
Install [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.
Install [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.
Install [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.
Install [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.
Install [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.
Install [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.
Install [ifgdet83] Use-after-free in MPT driver.
Install [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.
Install [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.
Install [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.
Install [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.
Install [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.
Install [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Install [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.
Install [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.
Install [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.
Install [jz43fdgc] Denial of service in NFS server via reference count leak.
Install [h860edrq] Fix a packet flood when initializing a bridge device without STP.
Install [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.
Install [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.
Install [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Install [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.
Install [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.
Install [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.
Install [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.
Install [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.
Install [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.
Install [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Install [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.
Install [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.
Install [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.
Install [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.
Install [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.
Install [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler API
Install [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.
Install [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.
Install [ofrder8l] Hangs using direct I/O with XFS filesystem.
Install [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.
Install [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.
Install [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.
Install [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.
Install [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().
Install [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.
Install [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.
Install [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.
Install [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.
Install [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.
Install [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.
Install [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.
Install [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.
Install [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.
Install [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.
Install [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.
Install [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.
Install [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.
Install [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.
Install [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Install [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.
Install [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.
Install [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.
Install [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.
Install [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.
Install [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.
Install [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.
Install [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.
Install [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
Install [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.
Install [uknrp2eo] Denial of service in filesystem unmounting.
Install [97u6urvt] Soft lockup in USB ACM driver.
Install [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.
Install [loizuvxu] Kernel crash in Ethernet bridging netfilter module.
Install [yc146ytc] Unresponsive I/O using QLA2XXX driver.
Install [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.
Install [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.
Install [bvoz27gv] Arithmetic overflow in clock source calculations.
Install [lzwurn1u] ext4 filesystem corruption on fallocate.
Install [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Install [9do532u6] Kernel panic when overcommiting memory with NFSd.
Install [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.
Install [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.
Install [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.
Install [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.
Install [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.
Install [l093jvcl] Kernel panic in SMB extended attributes.
Install [qlzoyvty] Kernel panic in ext3 indirect blocks.
Install [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.
Install [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.
Install [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.
Install [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.
Install [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.
Install [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.
Install [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.
Install [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.
Install [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.
Install [2zzz6cqb] Data corruption on NFSv3/v2 short reads.
Install [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.
Install [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.
Install [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.
Install [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.
Install [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.
Install [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.
Install [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.
Install [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.
Install [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.
Install [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.
Install [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.
Install [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.
Install [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.
Install [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.
Install [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.
Install [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.
Install [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.
Install [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.
Install [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.
Install [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.
Install [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.
Install [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.
Install [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.
Install [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.
Install [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.
Install [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.
Install [pz65qqpk] Panic in GFS2 filesystem locking code.
Install [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.
Install [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.
Install [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.
Install [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.
Install [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.
Install [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.
Installing [v5267zuo] Clear garbage data on the kernel stack when handling signals.
Installing [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.
Installing [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.
Installing [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.
Installing [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.
Installing [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.
Installing [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.
Installing [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.
Installing [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.
Installing [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.
Installing [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.
Installing [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.
Installing [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6
Installing [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.
Installing [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.
Installing [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.
Installing [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().
Installing [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.
Installing [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.
Installing [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.
Installing [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.
Installing [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.
Installing [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.
Installing [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.
Installing [qdlkztzx] Kernel crash forwarding network traffic.
Installing [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.
Installing [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.
Installing [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pages
Installing [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.
Installing [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.
Installing [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.
Installing [xem0m4sg] Floating point state corruption after signal.
Installing [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.
Installing [3ulklysv] CVE-2010-0307: Denial of service on amd64
Installing [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 server
Installing [trws48lp] CVE-2010-1087: Oops when truncating a file in NFS
Installing [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinks
Installing [gmqqylxv] CVE-2010-1187: Denial of service in TIPC
Installing [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremap
Installing [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTP
Installing [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruption
Installing [l5qljcxc] CVE-2010-1437: Privilege escalation in key management
Installing [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2
Installing [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.
Installing [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.
Installing [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.
Installing [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.
Installing [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.
Installing [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.
Installing [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.
Installing [59car2zc] CVE-2010-2798: Denial of service in GFS2.
Installing [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.
Installing [5mgd1si0] Improved fix to CVE-2010-1173.
Installing [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.
Installing [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.
Installing [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.
Installing [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.
Installing [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.
Installing [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.
Installing [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.
Installing [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.
Installing [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.
Installing [ff1wrijq] Buffer overflow in icmpmsg_put.
Installing [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.
Installing [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.
Installing [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.
Installing [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.
Installing [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.
Installing [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
Installing [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
Installing [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.
Installing [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
Installing [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.
Installing [usukkznh] Mitigate denial of service attacks with large argument lists.
Installing [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.
Installing [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.
Installing [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.
Installing [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.
Installing [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Installing [hnbz3ppf] Integer overflow in sys_remap_file_pages.
Installing [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.
Installing [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.
Installing [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
Installing [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.
Installing [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.
Installing [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.
Installing [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.
Installing [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.
Installing [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.
Installing [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.
Installing [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.
Installing [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.
Installing [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.
Installing [ifgdet83] Use-after-free in MPT driver.
Installing [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.
Installing [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.
Installing [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.
Installing [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.
Installing [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.
Installing [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Installing [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.
Installing [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.
Installing [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.
Installing [jz43fdgc] Denial of service in NFS server via reference count leak.
Installing [h860edrq] Fix a packet flood when initializing a bridge device without STP.
Installing [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.
Installing [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.
Installing [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Installing [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.
Installing [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.
Installing [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.
Installing [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.
Installing [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.
Installing [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.
Installing [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Installing [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.
Installing [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.
Installing [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.
Installing [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.
Installing [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.
Installing [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler API
Installing [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.
Installing [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.
Installing [ofrder8l] Hangs using direct I/O with XFS filesystem.
Installing [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.
Installing [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.
Installing [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.
Installing [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.
Installing [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().
Installing [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.
Installing [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.
Installing [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.
Installing [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.
Installing [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.
Installing [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.
Installing [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.
Installing [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.
Installing [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.
Installing [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.
Installing [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.
Installing [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.
Installing [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.
Installing [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.
Installing [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Installing [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.
Installing [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.
Installing [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.
Installing [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.
Installing [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.
Installing [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.
Installing [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.
Installing [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.
Installing [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
Installing [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.
Installing [uknrp2eo] Denial of service in filesystem unmounting.
Installing [97u6urvt] Soft lockup in USB ACM driver.
Installing [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.
Installing [loizuvxu] Kernel crash in Ethernet bridging netfilter module.
Installing [yc146ytc] Unresponsive I/O using QLA2XXX driver.
Installing [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.
Installing [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.
Installing [bvoz27gv] Arithmetic overflow in clock source calculations.
Installing [lzwurn1u] ext4 filesystem corruption on fallocate.
Installing [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Installing [9do532u6] Kernel panic when overcommiting memory with NFSd.
Installing [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.
Installing [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.
Installing [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.
Installing [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.
Installing [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.
Installing [l093jvcl] Kernel panic in SMB extended attributes.
Installing [qlzoyvty] Kernel panic in ext3 indirect blocks.
Installing [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.
Installing [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.
Installing [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.
Installing [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.
Installing [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.
Installing [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.
Installing [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.
Installing [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.
Installing [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.
Installing [2zzz6cqb] Data corruption on NFSv3/v2 short reads.
Installing [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.
Installing [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.
Installing [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.
Installing [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.
Installing [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.
Installing [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.
Installing [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.
Installing [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.
Installing [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.
Installing [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.
Installing [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.
Installing [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.
Installing [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.
Installing [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.
Installing [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.
Installing [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.
Installing [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.
Installing [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.
Installing [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.
Installing [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.
Installing [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.
Installing [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.
Installing [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.
Installing [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.
Installing [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.
Installing [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.
Installing [pz65qqpk] Panic in GFS2 filesystem locking code.
Installing [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.
Installing [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.
Installing [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.
Installing [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.
Installing [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.
Installing [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.
Your kernel is fully up to date.
Effective kernel version is 2.6.18-398.el5

real    0m59.447s
user    0m22.640s
sys     0m22.611s

1 minute for 215 updates. And this isn't one minute of hang, it applies each patch and just takes a few microseconds to apply. So your applications or users won't experience hangs or hickups at all.

15 Oct 2014 9:09pm GMT