Share
## https://sploitus.com/exploit?id=77EB126C-A52F-537B-A45A-2D01DA7B0F84
# AlmaLinux 9.5 β€” Mitigasi Januscape (CVE-2026-53359) & Bad Epoll (CVE-2026-46242)

Panduan **production-safe**, step-by-step untuk host **AlmaLinux 9 / 9.5** yang menjalankan **banyak VPS client (KVM)**.

> **Bahasa:** Indonesia (perintah tetap shell Linux).  
> **Fokus:** jangan crash host, jangan main PoC, minimalkan downtime.  
> **Target:** hypervisor/host KVM β€” **bukan** di dalam guest VPS.

---

## Ringkas (baca ini dulu)

| Item | Detail |
|------|--------|
| **CVE utama** | **CVE-2026-53359** β€” *Januscape* β€” KVM/x86 **guest β†’ host escape** (+ DoS host) |
| **CVE tambahan (Alma 9)** | **CVE-2026-46242** β€” *Bad Epoll* β€” LPE lokal unprivileged β†’ root |
| **Siapa yang rawan** | Host x86_64 dengan **KVM** (Intel/AMD), multi-tenant VPS |
| **Fix penuh** | Update kernel **β‰₯ `5.14.0-687.23.1.el9_8`** lalu **reboot host** |
| **Mitigasi sementara** | Nonaktifkan **nested virtualization** + batasi akses **`/dev/kvm`** |
| **Tanpa reboot host?** | Soft mitigasi **sebagian** bisa; **unload modul KVM sambil VM hidup = berbahaya / mustahil** |

### Prinsip production

1. **Jangan** jalankan PoC / exploit di host production.  
2. **Jangan** `rmmod kvm*` saat masih ada guest running.  
3. Soft mitigasi dulu (nested off + permission), jadwalkan **reboot host terencana** untuk patch kernel.  
4. Migrasi live VPS ke node lain (jika cluster) sebelum reboot.  
5. Verifikasi **setelah** setiap langkah.

---

## Daftar isi

1. [Apa itu Januscape?](#1-apa-itu-januscape)
2. [Apakah host kamu terdampak?](#2-apakah-host-kamu-terdampak)
3. [Strategi production (alur keputusan)](#3-strategi-production-alur-keputusan)
4. [Fase 0 β€” Pre-check aman (read-only)](#4-fase-0--pre-check-aman-read-only)
5. [Fase 1 β€” Soft mitigasi (minim reboot)](#5-fase-1--soft-mitigasi-minim-reboot)
6. [Fase 2 β€” Patch kernel (fix penuh, perlu reboot host)](#6-fase-2--patch-kernel-fix-penuh-perlu-reboot-host)
7. [Fase 3 β€” Verifikasi pasca-mitigasi](#7-fase-3--verifikasi-pasca-mitigasi)
8. [Yang tidak boleh dilakukan](#8-yang-tidak-boleh-dilakukan)
9. [FAQ](#9-faq)
10. [Script](#10-script)
11. [Referensi resmi](#11-referensi-resmi)
12. [Disclaimer](#12-disclaimer)

---

## 1. Apa itu Januscape?

**Januscape (CVE-2026-53359)** adalah kerentanan di **KVM/x86** (Intel & AMD) yang memungkinkan:

| Dampak | Keterangan |
|--------|------------|
| **Guest-to-host escape** | Guest jahat bisa eksekusi kode sebagai root di **host** |
| **Host DoS** | Guest bisa memicu **kernel panic** host β†’ semua VPS di node mati |
| **LPE lokal** | Jika `/dev/kvm` world-writable (`0666`, default di banyak RHEL-like), user lokal unprivileged bisa escalate ke root **tanpa** VM |

Sumber ringkas:

- [AlmaLinux β€” Januscape and Bad Epoll](https://almalinux.org/blog/2026-07-06-januscape-bad-epoll/)
- [Ubuntu mitigations](https://ubuntu.com/blog/januscape-linux-vulnerability-mitigations-available)
- [Red Hat CVE-2026-53359](https://access.redhat.com/security/cve/cve-2026-53359)
- Write-up peneliti: [V4bel/Januscape](https://github.com/V4bel/Januscape) (jangan dijalankan di production)

**Bad Epoll (CVE-2026-46242)** (AlmaLinux 9 & 10): race UAF di subsystem epoll β†’ LPE lokal. Fix-nya ikut **kernel yang sama** di rilis AlmaLinux.

---

## 2. Apakah host kamu terdampak?

### Cek cepat (read-only, aman)

```bash
# OS
cat /etc/os-release | egrep 'NAME|VERSION'

# Kernel
uname -r
rpm -q kernel

# Modul KVM
lsmod | egrep 'kvm|kvm_intel|kvm_amd'

# Nested ON? (Y/1 = rentan jalur nested; N/0 = nested off)
grep -H . /sys/module/kvm_intel/parameters/nested 2>/dev/null
grep -H . /sys/module/kvm_amd/parameters/nested 2>/dev/null

# Permission /dev/kvm (0666 = sangat longgar di host multi-user)
namei -l /dev/kvm 2>/dev/null
stat -c '%a %U:%G %n' /dev/kvm 2>/dev/null
getfacl /dev/kvm 2>/dev/null | head

# Ada guest?
# libvirt:
virsh list --all 2>/dev/null | head
# atau proses qemu:
ps aux | egrep 'qemu-system|qemu-kvm' | grep -v grep | wc -l
```

Atau:

```bash
sudo bash scripts/00-precheck.sh
```

### Interpretasi

| Kondisi | Status |
|---------|--------|
| Tidak ada modul `kvm` / bukan hypervisor | Januscape KVM **kurang relevan** (tetap update kernel untuk Bad Epoll jika Alma 9) |
| `nested=Y` atau `1` | Jalur **nested virt** aktif β€” prioritaskan soft mitigasi |
| Kernel **< `5.14.0-687.23.1.el9_8`** | Belum patch Januscape+Bad Epoll (Alma 9 production) |
| Kernel **β‰₯ `5.14.0-687.23.1.el9_8`** + sudah reboot ke kernel itu | Fix penuh (konfirmasi `uname -r`) |
| `/dev/kvm` mode `666` | LPE lokal lebih mudah β€” **kunci permission** |

---

## 3. Strategi production (alur keputusan)

```text
                    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                    β”‚ Host KVM multi-VPS? β”‚
                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                               β”‚ ya
                    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                    β”‚ Kernel sudah patchedβ”‚
                    β”‚ + sudah boot ke sanaβ”‚
                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                     belum β”‚         β”‚ ya
              β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”   β”Œβ”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
              β”‚ Soft mitigasi β”‚   β”‚ Verifikasi +  β”‚
              β”‚ (Fase 1)      β”‚   β”‚ monitoring    β”‚
              β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”˜   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                           β”‚
              β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
              β”‚ Jadwalkan maintenance:            β”‚
              β”‚ migrate VPS (jika bisa) β†’         β”‚
              β”‚ dnf upgrade kernel β†’ reboot host  β”‚
              β”‚ (Fase 2)                          β”‚
              β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```

| Prioritas | Tindakan | Reboot host? | Risiko ke VPS client |
|-----------|----------|--------------|----------------------|
| **P0** | Soft: nested=0 (persist) + cek tidak ada nested guest | Biasanya **tidak** jika hanya tulis config; **aktif penuh** sering perlu reload modul / reboot | Nested guest (jika ada) akan rusak |
| **P0** | Soft: `/dev/kvm` tidak 0666 | **Tidak** | Tidak mematikan VM existing |
| **P1** | Patch kernel + reboot host | **Ya** | Semua VPS di node reboot bareng host (kecuali di-live-migrate dulu) |

---

## 4. Fase 0 β€” Pre-check aman (read-only)

Jalankan **hanya perintah baca**. Tidak mengubah sistem.

```bash
sudo bash scripts/00-precheck.sh | tee /root/januscape-precheck-$(date +%F).txt
```

Simpan output. Berguna untuk audit & tiket internal.

Checklist manual:

- [ ] Jumlah VPS running tercatat  
- [ ] Nested status tercatat  
- [ ] `uname -r` tercatat  
- [ ] Backup/migrate plan siap  
- [ ] Akses IPMI/iDRAC/console host siap  

---

## 5. Fase 1 β€” Soft mitigasi (minim reboot)

### 5.1 Nonaktifkan nested virtualization (persist)

Ini mitigasi yang direkomendasikan Ubuntu/Proxmox/Red Hat guidance publik sambil menunggu / sebelum reboot ke kernel patched:

- [Ubuntu β€” disable nested](https://ubuntu.com/blog/januscape-linux-vulnerability-mitigations-available)
- [Red Hat CVE page β€” modprobe options](https://access.redhat.com/security/cve/cve-2026-53359)
- [Proxmox forum β€” nested=0](https://forum.proxmox.com/threads/are-there-mitigations-available-for-cve-2026-53359-januscape.184874/)

#### A) Cek dulu: apakah ada guest yang **memakai** nested?

```bash
# Libvirt: cari CPU mode host-passthrough + nested feature, atau feature vmx/svm di XML
virsh list --name 2>/dev/null | while read -r vm; do
  [ -z "$vm" ] && continue
  echo "=== $vm ==="
  virsh dumpxml "$vm" 2>/dev/null | egrep -i 'nested|vmx|svm|host-passthrough|host-model' | head -20
done
```

Jika **ada client yang sengaja pakai nested KVM di dalam VPS**:

- Soft mitigasi nested=0 akan **merusak fitur mereka**  
- Koordinasikan dulu, atau prioritaskan **patch + reboot** tanpa menonaktifkan nested (setelah kernel fixed, nested boleh on lagi sesuai kebutuhan)

Jika **tidak ada** nested guest (kasus mayoritas shared VPS):

#### B) Tulis config permanen (aman, tidak reboot sendiri)

```bash
sudo tee /etc/modprobe.d/disable-kvm-nested.conf >/dev/null /dev/null || true
sudo rmmod kvm_intel 2>/dev/null || true
sudo rmmod kvm 2>/dev/null || true
sudo modprobe kvm
sudo modprobe kvm_intel   # atau kvm_amd
```

**Di production dengan puluhan VPS running: JANGAN lakukan rmmod.**  
Modul KVM **sedang dipakai** guest β†’ `rmmod` akan **gagal** atau **berbahaya**.

| Situasi | Cara apply nested=0 |
|---------|---------------------|
| **0 guest running** | Boleh reload modul (tanpa reboot OS) |
| **Ada guest running** | Hanya tulis `/etc/modprobe.d/...`; efek penuh saat **reboot host** (Fase 2) atau maintenance drain |
| Cluster / live migration | Migrate semua VM keluar node β†’ reload modul atau reboot node kosong |

Cek runtime setelah reload/reboot:

```bash
grep -H . /sys/module/kvm_intel/parameters/nested 2>/dev/null
grep -H . /sys/module/kvm_amd/parameters/nested 2>/dev/null
# Harapan mitigasi: 0 atau N
```

Script:

```bash
sudo bash scripts/01-soft-mitigation-nested.sh
# default: HANYA tulis config, TIDAK rmmod
# paksa reload (berbahaya jika ada VM):
# sudo bash scripts/01-soft-mitigation-nested.sh --reload-modules
```

### 5.2 Kunci permission `/dev/kvm` (tanpa reboot)

Alma/RHEL derivatives sering punya `/dev/kvm` terlalu longgar; AlmaLinux blog menyebut **0666** memudahkan LPE lokal.

```bash
# Lihat sekarang
stat -c '%a %U:%G %n' /dev/kvm

# Runtime (langsung, tanpa reboot) β€” contoh ketat:
# root:kvm, mode 660 (hanya root + group kvm)
sudo chown root:kvm /dev/kvm
sudo chmod 660 /dev/kvm

# Persist via udev (contoh)
sudo tee /etc/udev/rules.d/99-kvm-restrict.rules >/dev/null = 5.14.0-687.23.1.el9_8  (bandingkan dengan sort -V)

rpm -q kernel

# Nested: sesuai policy (boleh 0; atau 1 jika sudah patched & butuh nested)
grep -H . /sys/module/kvm_*/parameters/nested 2>/dev/null

# VPS
virsh list --all
```

```bash
sudo bash scripts/03-patch-kernel.sh
# script TIDAK auto-reboot; hanya dnf upgrade kernel* + cetak instruksi reboot
```

---

## 7. Fase 3 β€” Verifikasi pasca-mitigasi

```bash
sudo bash scripts/04-verify.sh
```

Checklist:

- [ ] `uname -r` β‰₯ patched version  
- [ ] Tidak ada Oops/panic baru: `journalctl -k -p err --since "1 hour ago"`  
- [ ] Nested sesuai kebijakan  
- [ ] `/dev/kvm` tidak `666`  
- [ ] Libvirt/qemu healthy  
- [ ] Sample VPS network/disk OK  

---

## 8. Yang tidak boleh dilakukan

| Jangan | Alasan |
|--------|--------|
| Jalankan PoC Januscape di production | Bisa **panic host** / escape |
| `rmmod kvm*` saat VM running | Gagal atau putus semua guest |
| Reboot host tanpa pemberitahuan client | Downtime massal |
| Matikan SELinux β€œbiar gampang” | Memperlebar serangan |
| Asumsi soft mitigasi = sudah aman total | Nested off mengurangi jalur; **kernel patch tetap wajib** |
| Patch hanya 1 node lalu lupa yang lain | Semua hypervisor x86 KVM perlu di-audit |

---

## 9. FAQ

### Apakah bisa 100% tanpa reboot?

- **Soft mitigasi** (file modprobe + chmod/udev): **tanpa reboot**.  
- **Nested off di runtime** tanpa reboot: hanya jika modul bisa di-reload β†’ **butuh 0 guest** di node.  
- **Fix CVE penuh (kode kernel)**: **perlu boot ke kernel baru** β†’ reboot host (atau live-patch enterprise jika vendor sediakan; Alma standar = reboot).

### Apakah menonaktifkan nested memutus VPS biasa?

Umumnya **tidak**. VPS biasa tidak menjalankan hypervisor di dalam guest.  
Yang terdampak: customer yang **sengaja** pakai nested virt (jarang di shared hosting).

### Host bukan KVM (OpenVZ/LXC only)?

Januscape = **KVM/x86**. Jika host **murni container** tanpa KVM, jalur guest-escape KVM tidak berlaku β€” tetap cek Bad Epoll + update kernel.

### Virtuozzo / OpenVZ 7?

Bukan fokus repo ini (kernel beda). Untuk Vz7, ikuti advisory vendor + ReadyKernel/vzkernel terpisah.

---

## 10. Script

| Script | Fungsi | Production note |
|--------|--------|-----------------|
| [`scripts/00-precheck.sh`](scripts/00-precheck.sh) | Inventory read-only | Aman |
| [`scripts/01-soft-mitigation-nested.sh`](scripts/01-soft-mitigation-nested.sh) | Tulis nested=0 | Default **tanpa** rmmod |
| [`scripts/02-soft-mitigation-devkvm.sh`](scripts/02-soft-mitigation-devkvm.sh) | Harden `/dev/kvm` | Cek libvirt tetap jalan |
| [`scripts/03-patch-kernel.sh`](scripts/03-patch-kernel.sh) | `dnf upgrade kernel*` | **Tidak** auto-reboot |
| [`scripts/04-verify.sh`](scripts/04-verify.sh) | Verifikasi status | Aman |

```bash
chmod +x scripts/*.sh
sudo bash scripts/00-precheck.sh
sudo bash scripts/01-soft-mitigation-nested.sh
sudo bash scripts/02-soft-mitigation-devkvm.sh
# maintenance window:
sudo bash scripts/03-patch-kernel.sh
# lalu: sudo reboot
sudo bash scripts/04-verify.sh
```

---

## 11. Referensi resmi

| Sumber | URL |
|--------|-----|
| AlmaLinux β€” patches production | https://almalinux.org/blog/2026-07-06-januscape-bad-epoll/ |
| Ubuntu β€” mitigasi nested | https://ubuntu.com/blog/januscape-linux-vulnerability-mitigations-available |
| Red Hat CVE-2026-53359 | https://access.redhat.com/security/cve/cve-2026-53359 |
| CloudLinux advisory | https://blog.cloudlinux.com/januscape-cve-2026-53359-mitigation-and-kernel-update-on-cloudlinux/ |
| TuxCare overview | https://tuxcare.com/blog/januscape-exposes-the-kvm-shadow-paging-bug-that-kept-coming-back/ |
| Proxmox discussion | https://forum.proxmox.com/threads/are-there-mitigations-available-for-cve-2026-53359-januscape.184874/ |
| Researcher write-up (jangan PoC di prod) | https://github.com/V4bel/Januscape |

---

## 12. Disclaimer

- Panduan komunitas untuk operator. Bukan pengganti advisory vendor / penasihat hukum.  
- Uji di lab/staging jika memungkinkan.  
- Penulis tidak bertanggung jawab atas downtime atau kerugian akibat eksekusi perintah.  
- Selalu cocokkan versi kernel dengan [blog AlmaLinux](https://almalinux.org/blog/2026-07-06-januscape-bad-epoll/) terbaru.

---

## Cheat sheet

```bash
# 1) Precheck
uname -r
grep . /sys/module/kvm_*/parameters/nested 2>/dev/null
stat -c '%a %n' /dev/kvm
virsh list --state-running | wc -l

# 2) Soft (persist nested off)
echo -e 'options kvm_intel nested=0\noptions kvm_amd nested=0' | \
  sudo tee /etc/modprobe.d/disable-kvm-nested.conf

# 3) Soft (/dev/kvm)
sudo chown root:kvm /dev/kvm; sudo chmod 660 /dev/kvm

# 4) Fix (maintenance)
sudo dnf clean metadata && sudo dnf upgrade -y 'kernel*'
# migrate VMs or announce downtime
sudo reboot

# 5) Verify
uname -r   # >= 5.14.0-687.23.1.el9_8
```

## License

MIT β€” lihat [LICENSE](LICENSE).