Files
nym/documentation/docs/components/operators/snippets/troubleshooting-linux-vulnerability.mdx
import this 26538f5a40 Patch: Linux kernel vulnerability patch (#6773)
* add guide component

* add mitigate kernel playbook

* add to troubleshooting

* remove redundant

* remove redundant

* FIX ISSUES

* fix

* fix url to raw

* update docs and add new playbook

* update and simplify docs and ansible

* create ntm explanation component and import it

* rm mistaken empty file

* rm crap

* rm crap

* rm all crap

* try to fix nextra screaming seagul

* try to fix nextra screaming seagul

* try to fix nextra screaming seagul

* UX improvement by logic refactoring

* UX improvement by logic refactoring

* UX improvement by logic refactoring

* UX improvement by logic refactoring

* fix header urls

* fix command syntax

* fix indentation

* update auto-stats

* resolve review comments

* resolve review comments in docs

* fix remove kernel book

* soften warning

* address comments

* address comments

* update stats
2026-05-20 09:17:36 +02:00

292 lines
10 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
import { Callout } from 'nextra/components';
import { Steps } from 'nextra/components';
import { Tabs } from 'nextra/components';
import { MyTab } from 'components/generic-tabs.tsx';
import { AccordionTemplate } from 'components/accordion-template.tsx';
import NTMExplanation from 'components/operators/snippets/ntm-accordion-explanation.mdx';
## Security Patch: `CopyFail` & `DirtyFrag`
In spring 2026 two critical Linux kernel vulnerabilities had been disclosed. Both allow any local user or process to gain root access on the machine - no special permissions needed.
<Callout type="warning" emoji="⚠️">
**What is exposed?** An attacker (or any compromised process) can take full control of the machine: read or exfiltrate everything, modify files, install backdoors, or escape containers onto the host.
</Callout>
**Security patch required! Follow these steps to patch the vulnerability as soon as possible!**
**CVEs covered**
| CVE | Name | Affected module |
|---|---|---|
| `CVE-2026-31431` | `CopyFail` | `algif_aead` |
| `CVE-2026-43284` | `DirtyFrag` | `esp4`, `esp6` |
| `CVE-2026-43500` | `DirtyFrag` | `rxrpc` |
<div>
<Tabs items={[
<strong>Directly on the hosting server</strong>,
<strong>Using Ansible</strong>,
]} defaultIndex="0">
<MyTab>
<Steps>
<Callout type="warning" emoji="⚠️">
**This guide is written from root perspective, please add `sudo` to your commands if you are non-root user.**
</Callout>
###### 1. Check if mitigations are already applied
Many hosting providers already applied these mitigations automatically via `unattended-upgrades`. Run these checks first:
```sh
cat /etc/modprobe.d/disable-algif_aead.conf 2>/dev/null && echo "Already mitigated" || echo "Not yet mitigated"
cat /etc/modprobe.d/dirtyfrag.conf 2>/dev/null && echo "Already mitigated" || echo "Not yet mitigated"
```
Compare your output to this table:
| Check | Safe output | Action if not safe |
|---|---|---|
| `disable-algif_aead.conf` | `Already mitigated` | Go to [Step 2](#2-apply-the-interim-mitigation---disable-algif_aead) |
| `dirtyfrag.conf` | `Already mitigated` | Go to [Step 3](#3-apply-the-interim-mitigation---disable-esp4-esp6-and-rxrpc) |
If both checks are `Already mitigated` - **you are done, no further action needed.**
###### 2. Apply the interim mitigation - disable `algif_aead`
The fastest fix on Debian/Ubuntu is to update the `kmod` package - this is how [providers applied it](https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available) automatically and avoids a reboot:
```sh
apt update && apt install --only-upgrade kmod
rmmod algif_aead 2>/dev/null || true
```
- Alternatively, apply manually:
```sh
echo "install algif_aead /bin/false" | tee /etc/modprobe.d/disable-algif_aead.conf
rmmod algif_aead 2>/dev/null || true
```
- Drop page cache to clear any contamination:
```sh
echo 3 > /proc/sys/vm/drop_caches
```
<Callout type="info" emoji="️">
No reboot is required unless the module was already in active use by a running process. The `rmmod` command above unloads it live.
</Callout>
<Callout type="warning" emoji="⚠️">
**RHEL, AlmaLinux, Rocky, CentOS** only: this module is baked into the kernel on these distros - the command above does nothing. You must wait for a patched kernel from your distro and apply it when available.
</Callout>
Continue to [Step 4](#4-restore-gateway-egress-routing--wireguard-functionality).
###### 3. Apply the interim mitigation - disable `esp4`, `esp6`, and `rxrpc`
```sh
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf"
rmmod esp4 esp6 rxrpc 2>/dev/null || true
```
- Drop page cache to clear any contamination:
```sh
echo 3 > /proc/sys/vm/drop_caches
```
Continue to [Step 4](#4-restore-gateway-egress-routing--wireguard-functionality).
###### 4. Restore Gateway egress routing & WireGuard functionality
<Callout type="warning" emoji="⚠️">
This step applies only to Gateway nodes. Skip this step for Mixnodes.
</Callout>
If your server was rebooted for any reason, all iptables rules including NAT, forwarding rules, and the `NYM-EXIT` chain are dropped. Unless `iptables-persistent` was already configured, these rules are gone.
- Run the [Nym network tunnel manager](https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/nym-node-setup/network-tunnel-manager.sh) (NTM) to restore and persist everything. NTM will also install `iptables-persistent` if not already present, ensuring rules survive future reboots:
```sh
curl -L "https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/nym-node-setup/network-tunnel-manager.sh" -o network-tunnel-manager.sh
```
- Run NTM (Standard SSH on port 22 (default)):
```sh
chmod +x ./network-tunnel-manager.sh &&
./network-tunnel-manager.sh complete_networking_configuration
```
- NTM on non-standart SSH port (replace `2222` with your actual port):
```sh
chmod +x ./network-tunnel-manager.sh &&
HOST_SSH_PORT=2222 ./network-tunnel-manager.sh complete_networking_configuration
```
<NTMExplanation />
###### 5. Verify egress routing & WireGuard functionality
There are a few ways to check that your WireGuard is working correctly:
- Connect to your node in NymVPN as an exit node in the *Fast* mode, if you rebooted it may take up to one hour for the node to be working properly again
- Verify WireGuard handshakes are resuming inside the node:
```sh
watch -n 5 'wg show all | grep -E "peer|latest handshake|transfer"'
```
Within 6090 seconds you should see `latest handshake: X seconds ago` timestamps appearing next to active peers and transfer bytes incrementing. Press `Ctrl+C` to exit the watch loop.
</Steps>
</MyTab>
<MyTab>
If you are using Ansible you can use this playbook [mitigate_kernel_CVE.yml](https://github.com/nymtech/nym/tree/develop/ansible/nym-node/playbooks/mitigate_kernel_CVE.yml).
<Steps>
###### 1. Create new playbook
- Navigate to your Nym node Ansible directory with all playbooks (`/playbooks`)
- You can double check that you are in the right place, running `ls` command and checking this output:
<AccordionTemplate name="Command output">
```
ansible.cfg bond.yml deploy.yml group_vars inventory system-maintenance.yml upgrade.yml
```
</AccordionTemplate>
- Download the playbook
```sh
curl -o mitigate_kernel_CVE.yml -L https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/ansible/nym-node/playbooks/mitigate_kernel_CVE.yml
```
- To control, run `ls` again
<AccordionTemplate name="Command output">
```
ansible.cfg bond.yml deploy.yml group_vars inventory mitigate_kernel_CVE.yml system-maintenance.yml upgrade.yml
```
</AccordionTemplate>
###### 2. Run playbook `mitigate_kernel_CVE.yml`
- For safety start only with one node:
```sh
ansible-playbook mitigate_kernel_CVE.yml -l node1
```
- Check if everything worked smooth on the node machine
- Run on all machines in your inventory
```sh
ansible-playbook mitigate_kernel_CVE.yml
```
###### 3. Ensure routing & WireGuard functionality
<Callout type="warning" emoji="⚠️">
This step applies only to Gateway nodes. Skip this step for Mixnodes.
</Callout>
In case your hosting servers rebooted all iptables rules including NAT, forwarding rules, and the `NYM-EXIT` chain, are dropped. Unless `iptables-persistent` was already configured before the reboot, these rules are gone.
- Run the [Nym network tunnel manager](https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/nym-node-setup/network-tunnel-manager.sh) (NTM) to restore and persist everything, using Ansible playbook `deploy.yml` pointing to the correct role:
- For safety start only with one node:
```sh
ansible-playbook deploy.yml -t ntm -l node1
```
- Check if everything worked smooth on the node machine
- Run on all machines in your inventory
```sh
ansible-playbook deploy.yml -t ntm
```
###### 4. Verify egress routing & WireGuard functionality
- Connect to your node in NymVPN as an exit node in the *Fast* mode, it may take up to one hour for the node to be working properly again
In case something doesn't work fine, please check the manual steps and [troubleshooting steps](#troubleshooting-wireguard-handshake-fails-after-patching) below
</Steps>
</MyTab>
</Tabs>
</div>
### Troubleshooting: WireGuard handshake fails after patching
If after completing all steps above WireGuard peers are still not handshaking and you can't connect to your node via NymVPN, work through this checklist:
<Steps>
###### 1. Confirm blacklists are in place
```sh
cat /etc/modprobe.d/disable-algif_aead.conf 2>/dev/null && echo "algif_aead: mitigated" || echo "algif_aead: NOT mitigated"
cat /etc/modprobe.d/dirtyfrag.conf 2>/dev/null && echo "dirtyfrag: mitigated" || echo "dirtyfrag: NOT mitigated"
```
- Both files must exist - these are what prevent the modules from loading on demand or after reboot
- If either is missing, return to [Step 2](#2-apply-the-interim-mitigation---disable-algif_aead) or [Step 3](#3-apply-the-interim-mitigation---disable-esp4-esp6-and-rxrpc) and apply the missing mitigation
###### 2. Check for stale xfrm state
```sh
ip xfrm policy list && ip xfrm state list
```
- If either returns entries, flush them — WireGuard does not use xfrm and stale entries can intercept handshake packets:
```sh
ip xfrm state flush && ip xfrm policy flush
```
###### 3. Confirm the `nymwg` interface is up
```sh
ip addr show type wireguard
```
- If absent, restart the `nym-node service`:
```sh
systemctl restart nym-node
```
###### 4. Check iptables forwarding rules are present
```sh
iptables -L FORWARD -n -v | grep -E 'nymwg|nymtun'
iptables -L NYM-EXIT -n | head -10
```
- If the `NYM-EXIT` chain is missing or `FORWARD` has no entries for `nymwg`, re-run [Step 4](#4-restore-gateway-egress-routing--wireguard-functionality).
###### 5. Confirm IP forwarding is enabled
```sh
sysctl net.ipv4.ip_forward net.ipv6.conf.all.forwarding
```
- Both should return `= 1`. If not: `sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv6.conf.all.forwarding=1`
###### 6. Watch for live handshake packets
- Install tcpdump if missing
```sh
apt install tcpdump -y # Debian/Ubuntu
dnf install tcpdump -y # RHEL family
# replace with your actual WG port from: ss -ulnp | grep nym-node
tcpdump -ni any udp port 51264
```
Trigger a connection attempt from a client. If you see packets arriving but WireGuard is not responding, check `journalctl -u nym-node -n 100` for errors from the binary itself.
</Steps>