A recent SUSE security update patched 8 kernel bugs — including a nasty remote DoS (CVE-2025-71120, CVSS 8.7) and local privilege escalations. But here's the thing: similar flaws exist in every Linux distribution. This guide shows you how to find and fix them permanently.
How to check if you are vulnerable
Run these commands right now — they work on any distro:
# Check running kernel version uname -r # See if a newer kernel is available apt list --upgradable | grep linux-image # Check for known vulnerabilities in your kernel sudo apt install linux-tools-common ubuntu-security-status
Rocky Linux / RHEL / AlmaLinux
# Current kernel uname -r # Check for security updates sudo dnf check-update --security # List kernel-related CVEs already fixed sudo dnf updateinfo list --cves
SUSE / openSUSE (the original advisory)
# Verify running kernel uname -r # Check if livepatch is available sudo zypper list-patches | grep -i kernel # Install the specific fix (from the advisory) sudo zypper in -t patch SUSE-2026-1259=1
Universal method (any distro)
# See if your kernel is older than 6 months uname -r | awk -F. '{print $1"."$2}' # Check loaded modules for known bad versions lsmod | grep -E "(i40e|nf_tables|macvlan)"
Automation script to apply the fix
Save this as kernel-fix.sh and run it on any major distro
#!/bin/bash # Universal kernel security updater # Works on Ubuntu 20.04+, Rocky 8/9, openSUSE 15+, Debian 11+ set -e DISTRO=$(grep ^ID= /etc/os-release | cut -d= -f2 | tr -d '"') echo "[+] Checking for kernel security updates on $DISTRO..." case $DISTRO in ubuntu|debian) sudo apt update sudo apt install -y linux-image-generic sudo apt upgrade -y linux-* ;; rocky|rhel|almalinux|centos) sudo dnf update -y kernel --security ;; opensuse-leap|suse) sudo zypper patch -g security -y sudo zypper in -t patch SUSE-2026-1259=1 2>/dev/null || echo "Patch may not apply to your exact SUSE version" ;; *) echo "Unknown distro. Please update kernel manually." exit 1 ;; esac echo "[+] Kernel updated. You need to reboot." read -p "Reboot now? (y/n): " -n 1 -r echo if [[ $REPLY =~ ^[Yy]$ ]]; then sudo reboot fi
Make it executable: chmod +x kernel-fix.sh && sudo ./kernel-fix.sh
Alternative mitigation (if you can't update now)
Can't reboot? Production system frozen? Here are immediate workarounds:
Block the RCE attack (CVE-2025-71120 - SUNRPC)
# Block RPC services temporarily (adjust port if needed) sudo iptables -A INPUT -p tcp --dport 2049 -j DROP sudo iptables -A INPUT -p udp --dport 2049 -j DROP # Save rules (Ubuntu/Debian) sudo apt install iptables-persistent && sudo netfilter-persistent save # Save rules (RHEL/Rocky) sudo service iptables save
Disable vulnerable netfilter module (CVE-2026-23111)
# Blacklist the module echo "blacklist nf_tables" | sudo tee -a /etc/modprobe.d/security-blacklist.conf # Remove if already loaded sudo modprobe -r nf_tables # Verify lsmod | grep nf_tables # Should return nothing
Restrict macvlan (CVE-2026-23209)
# Prevent unprivileged users from creating macvlan interfaces echo "net.core.bpf_jit_enable=0" | sudo tee -a /etc/sysctl.conf sudo sysctl -p
# Install AppArmor utils sudo apt install apparmor-utils # Put nf_tables in complain mode to log but not block sudo aa-complain /sys/module/nf_tables
Suggest reading
The eBPF Handbook - Amazon
✅ Final checklist (save this)
- Run uname -r and compare with your distro's latest kernel
- Apply the automation script above
- If no reboot allowed, implement at least 2 mitigations from the iptables section
- Test your application after reboot (kernel updates break some proprietary drivers)
- Subscribe to your distro's security announce list
Nenhum comentário:
Postar um comentário