Share
## https://sploitus.com/exploit?id=77EB126C-A52F-537B-A45A-2D01DA7B0F84
# AlmaLinux 9.5 β Mitigasi Januscape (CVE-2026-53359) & Bad Epoll (CVE-2026-46242)
Panduan **production-safe**, step-by-step untuk host **AlmaLinux 9 / 9.5** yang menjalankan **banyak VPS client (KVM)**.
> **Bahasa:** Indonesia (perintah tetap shell Linux).
> **Fokus:** jangan crash host, jangan main PoC, minimalkan downtime.
> **Target:** hypervisor/host KVM β **bukan** di dalam guest VPS.
---
## Ringkas (baca ini dulu)
| Item | Detail |
|------|--------|
| **CVE utama** | **CVE-2026-53359** β *Januscape* β KVM/x86 **guest β host escape** (+ DoS host) |
| **CVE tambahan (Alma 9)** | **CVE-2026-46242** β *Bad Epoll* β LPE lokal unprivileged β root |
| **Siapa yang rawan** | Host x86_64 dengan **KVM** (Intel/AMD), multi-tenant VPS |
| **Fix penuh** | Update kernel **β₯ `5.14.0-687.23.1.el9_8`** lalu **reboot host** |
| **Mitigasi sementara** | Nonaktifkan **nested virtualization** + batasi akses **`/dev/kvm`** |
| **Tanpa reboot host?** | Soft mitigasi **sebagian** bisa; **unload modul KVM sambil VM hidup = berbahaya / mustahil** |
### Prinsip production
1. **Jangan** jalankan PoC / exploit di host production.
2. **Jangan** `rmmod kvm*` saat masih ada guest running.
3. Soft mitigasi dulu (nested off + permission), jadwalkan **reboot host terencana** untuk patch kernel.
4. Migrasi live VPS ke node lain (jika cluster) sebelum reboot.
5. Verifikasi **setelah** setiap langkah.
---
## Daftar isi
1. [Apa itu Januscape?](#1-apa-itu-januscape)
2. [Apakah host kamu terdampak?](#2-apakah-host-kamu-terdampak)
3. [Strategi production (alur keputusan)](#3-strategi-production-alur-keputusan)
4. [Fase 0 β Pre-check aman (read-only)](#4-fase-0--pre-check-aman-read-only)
5. [Fase 1 β Soft mitigasi (minim reboot)](#5-fase-1--soft-mitigasi-minim-reboot)
6. [Fase 2 β Patch kernel (fix penuh, perlu reboot host)](#6-fase-2--patch-kernel-fix-penuh-perlu-reboot-host)
7. [Fase 3 β Verifikasi pasca-mitigasi](#7-fase-3--verifikasi-pasca-mitigasi)
8. [Yang tidak boleh dilakukan](#8-yang-tidak-boleh-dilakukan)
9. [FAQ](#9-faq)
10. [Script](#10-script)
11. [Referensi resmi](#11-referensi-resmi)
12. [Disclaimer](#12-disclaimer)
---
## 1. Apa itu Januscape?
**Januscape (CVE-2026-53359)** adalah kerentanan di **KVM/x86** (Intel & AMD) yang memungkinkan:
| Dampak | Keterangan |
|--------|------------|
| **Guest-to-host escape** | Guest jahat bisa eksekusi kode sebagai root di **host** |
| **Host DoS** | Guest bisa memicu **kernel panic** host β semua VPS di node mati |
| **LPE lokal** | Jika `/dev/kvm` world-writable (`0666`, default di banyak RHEL-like), user lokal unprivileged bisa escalate ke root **tanpa** VM |
Sumber ringkas:
- [AlmaLinux β Januscape and Bad Epoll](https://almalinux.org/blog/2026-07-06-januscape-bad-epoll/)
- [Ubuntu mitigations](https://ubuntu.com/blog/januscape-linux-vulnerability-mitigations-available)
- [Red Hat CVE-2026-53359](https://access.redhat.com/security/cve/cve-2026-53359)
- Write-up peneliti: [V4bel/Januscape](https://github.com/V4bel/Januscape) (jangan dijalankan di production)
**Bad Epoll (CVE-2026-46242)** (AlmaLinux 9 & 10): race UAF di subsystem epoll β LPE lokal. Fix-nya ikut **kernel yang sama** di rilis AlmaLinux.
---
## 2. Apakah host kamu terdampak?
### Cek cepat (read-only, aman)
```bash
# OS
cat /etc/os-release | egrep 'NAME|VERSION'
# Kernel
uname -r
rpm -q kernel
# Modul KVM
lsmod | egrep 'kvm|kvm_intel|kvm_amd'
# Nested ON? (Y/1 = rentan jalur nested; N/0 = nested off)
grep -H . /sys/module/kvm_intel/parameters/nested 2>/dev/null
grep -H . /sys/module/kvm_amd/parameters/nested 2>/dev/null
# Permission /dev/kvm (0666 = sangat longgar di host multi-user)
namei -l /dev/kvm 2>/dev/null
stat -c '%a %U:%G %n' /dev/kvm 2>/dev/null
getfacl /dev/kvm 2>/dev/null | head
# Ada guest?
# libvirt:
virsh list --all 2>/dev/null | head
# atau proses qemu:
ps aux | egrep 'qemu-system|qemu-kvm' | grep -v grep | wc -l
```
Atau:
```bash
sudo bash scripts/00-precheck.sh
```
### Interpretasi
| Kondisi | Status |
|---------|--------|
| Tidak ada modul `kvm` / bukan hypervisor | Januscape KVM **kurang relevan** (tetap update kernel untuk Bad Epoll jika Alma 9) |
| `nested=Y` atau `1` | Jalur **nested virt** aktif β prioritaskan soft mitigasi |
| Kernel **< `5.14.0-687.23.1.el9_8`** | Belum patch Januscape+Bad Epoll (Alma 9 production) |
| Kernel **β₯ `5.14.0-687.23.1.el9_8`** + sudah reboot ke kernel itu | Fix penuh (konfirmasi `uname -r`) |
| `/dev/kvm` mode `666` | LPE lokal lebih mudah β **kunci permission** |
---
## 3. Strategi production (alur keputusan)
```text
βββββββββββββββββββββββ
β Host KVM multi-VPS? β
ββββββββββββ¬βββββββββββ
β ya
ββββββββββββΌβββββββββββ
β Kernel sudah patchedβ
β + sudah boot ke sanaβ
ββββββββββββ¬βββββββββββ
belum β β ya
ββββββββββββββΌβββ ββββΌβββββββββββββ
β Soft mitigasi β β Verifikasi + β
β (Fase 1) β β monitoring β
ββββββββββββββ¬βββ βββββββββββββββββ
β
ββββββββββββββΌβββββββββββββββββββββββ
β Jadwalkan maintenance: β
β migrate VPS (jika bisa) β β
β dnf upgrade kernel β reboot host β
β (Fase 2) β
βββββββββββββββββββββββββββββββββββββ
```
| Prioritas | Tindakan | Reboot host? | Risiko ke VPS client |
|-----------|----------|--------------|----------------------|
| **P0** | Soft: nested=0 (persist) + cek tidak ada nested guest | Biasanya **tidak** jika hanya tulis config; **aktif penuh** sering perlu reload modul / reboot | Nested guest (jika ada) akan rusak |
| **P0** | Soft: `/dev/kvm` tidak 0666 | **Tidak** | Tidak mematikan VM existing |
| **P1** | Patch kernel + reboot host | **Ya** | Semua VPS di node reboot bareng host (kecuali di-live-migrate dulu) |
---
## 4. Fase 0 β Pre-check aman (read-only)
Jalankan **hanya perintah baca**. Tidak mengubah sistem.
```bash
sudo bash scripts/00-precheck.sh | tee /root/januscape-precheck-$(date +%F).txt
```
Simpan output. Berguna untuk audit & tiket internal.
Checklist manual:
- [ ] Jumlah VPS running tercatat
- [ ] Nested status tercatat
- [ ] `uname -r` tercatat
- [ ] Backup/migrate plan siap
- [ ] Akses IPMI/iDRAC/console host siap
---
## 5. Fase 1 β Soft mitigasi (minim reboot)
### 5.1 Nonaktifkan nested virtualization (persist)
Ini mitigasi yang direkomendasikan Ubuntu/Proxmox/Red Hat guidance publik sambil menunggu / sebelum reboot ke kernel patched:
- [Ubuntu β disable nested](https://ubuntu.com/blog/januscape-linux-vulnerability-mitigations-available)
- [Red Hat CVE page β modprobe options](https://access.redhat.com/security/cve/cve-2026-53359)
- [Proxmox forum β nested=0](https://forum.proxmox.com/threads/are-there-mitigations-available-for-cve-2026-53359-januscape.184874/)
#### A) Cek dulu: apakah ada guest yang **memakai** nested?
```bash
# Libvirt: cari CPU mode host-passthrough + nested feature, atau feature vmx/svm di XML
virsh list --name 2>/dev/null | while read -r vm; do
[ -z "$vm" ] && continue
echo "=== $vm ==="
virsh dumpxml "$vm" 2>/dev/null | egrep -i 'nested|vmx|svm|host-passthrough|host-model' | head -20
done
```
Jika **ada client yang sengaja pakai nested KVM di dalam VPS**:
- Soft mitigasi nested=0 akan **merusak fitur mereka**
- Koordinasikan dulu, atau prioritaskan **patch + reboot** tanpa menonaktifkan nested (setelah kernel fixed, nested boleh on lagi sesuai kebutuhan)
Jika **tidak ada** nested guest (kasus mayoritas shared VPS):
#### B) Tulis config permanen (aman, tidak reboot sendiri)
```bash
sudo tee /etc/modprobe.d/disable-kvm-nested.conf >/dev/null /dev/null || true
sudo rmmod kvm_intel 2>/dev/null || true
sudo rmmod kvm 2>/dev/null || true
sudo modprobe kvm
sudo modprobe kvm_intel # atau kvm_amd
```
**Di production dengan puluhan VPS running: JANGAN lakukan rmmod.**
Modul KVM **sedang dipakai** guest β `rmmod` akan **gagal** atau **berbahaya**.
| Situasi | Cara apply nested=0 |
|---------|---------------------|
| **0 guest running** | Boleh reload modul (tanpa reboot OS) |
| **Ada guest running** | Hanya tulis `/etc/modprobe.d/...`; efek penuh saat **reboot host** (Fase 2) atau maintenance drain |
| Cluster / live migration | Migrate semua VM keluar node β reload modul atau reboot node kosong |
Cek runtime setelah reload/reboot:
```bash
grep -H . /sys/module/kvm_intel/parameters/nested 2>/dev/null
grep -H . /sys/module/kvm_amd/parameters/nested 2>/dev/null
# Harapan mitigasi: 0 atau N
```
Script:
```bash
sudo bash scripts/01-soft-mitigation-nested.sh
# default: HANYA tulis config, TIDAK rmmod
# paksa reload (berbahaya jika ada VM):
# sudo bash scripts/01-soft-mitigation-nested.sh --reload-modules
```
### 5.2 Kunci permission `/dev/kvm` (tanpa reboot)
Alma/RHEL derivatives sering punya `/dev/kvm` terlalu longgar; AlmaLinux blog menyebut **0666** memudahkan LPE lokal.
```bash
# Lihat sekarang
stat -c '%a %U:%G %n' /dev/kvm
# Runtime (langsung, tanpa reboot) β contoh ketat:
# root:kvm, mode 660 (hanya root + group kvm)
sudo chown root:kvm /dev/kvm
sudo chmod 660 /dev/kvm
# Persist via udev (contoh)
sudo tee /etc/udev/rules.d/99-kvm-restrict.rules >/dev/null = 5.14.0-687.23.1.el9_8 (bandingkan dengan sort -V)
rpm -q kernel
# Nested: sesuai policy (boleh 0; atau 1 jika sudah patched & butuh nested)
grep -H . /sys/module/kvm_*/parameters/nested 2>/dev/null
# VPS
virsh list --all
```
```bash
sudo bash scripts/03-patch-kernel.sh
# script TIDAK auto-reboot; hanya dnf upgrade kernel* + cetak instruksi reboot
```
---
## 7. Fase 3 β Verifikasi pasca-mitigasi
```bash
sudo bash scripts/04-verify.sh
```
Checklist:
- [ ] `uname -r` β₯ patched version
- [ ] Tidak ada Oops/panic baru: `journalctl -k -p err --since "1 hour ago"`
- [ ] Nested sesuai kebijakan
- [ ] `/dev/kvm` tidak `666`
- [ ] Libvirt/qemu healthy
- [ ] Sample VPS network/disk OK
---
## 8. Yang tidak boleh dilakukan
| Jangan | Alasan |
|--------|--------|
| Jalankan PoC Januscape di production | Bisa **panic host** / escape |
| `rmmod kvm*` saat VM running | Gagal atau putus semua guest |
| Reboot host tanpa pemberitahuan client | Downtime massal |
| Matikan SELinux βbiar gampangβ | Memperlebar serangan |
| Asumsi soft mitigasi = sudah aman total | Nested off mengurangi jalur; **kernel patch tetap wajib** |
| Patch hanya 1 node lalu lupa yang lain | Semua hypervisor x86 KVM perlu di-audit |
---
## 9. FAQ
### Apakah bisa 100% tanpa reboot?
- **Soft mitigasi** (file modprobe + chmod/udev): **tanpa reboot**.
- **Nested off di runtime** tanpa reboot: hanya jika modul bisa di-reload β **butuh 0 guest** di node.
- **Fix CVE penuh (kode kernel)**: **perlu boot ke kernel baru** β reboot host (atau live-patch enterprise jika vendor sediakan; Alma standar = reboot).
### Apakah menonaktifkan nested memutus VPS biasa?
Umumnya **tidak**. VPS biasa tidak menjalankan hypervisor di dalam guest.
Yang terdampak: customer yang **sengaja** pakai nested virt (jarang di shared hosting).
### Host bukan KVM (OpenVZ/LXC only)?
Januscape = **KVM/x86**. Jika host **murni container** tanpa KVM, jalur guest-escape KVM tidak berlaku β tetap cek Bad Epoll + update kernel.
### Virtuozzo / OpenVZ 7?
Bukan fokus repo ini (kernel beda). Untuk Vz7, ikuti advisory vendor + ReadyKernel/vzkernel terpisah.
---
## 10. Script
| Script | Fungsi | Production note |
|--------|--------|-----------------|
| [`scripts/00-precheck.sh`](scripts/00-precheck.sh) | Inventory read-only | Aman |
| [`scripts/01-soft-mitigation-nested.sh`](scripts/01-soft-mitigation-nested.sh) | Tulis nested=0 | Default **tanpa** rmmod |
| [`scripts/02-soft-mitigation-devkvm.sh`](scripts/02-soft-mitigation-devkvm.sh) | Harden `/dev/kvm` | Cek libvirt tetap jalan |
| [`scripts/03-patch-kernel.sh`](scripts/03-patch-kernel.sh) | `dnf upgrade kernel*` | **Tidak** auto-reboot |
| [`scripts/04-verify.sh`](scripts/04-verify.sh) | Verifikasi status | Aman |
```bash
chmod +x scripts/*.sh
sudo bash scripts/00-precheck.sh
sudo bash scripts/01-soft-mitigation-nested.sh
sudo bash scripts/02-soft-mitigation-devkvm.sh
# maintenance window:
sudo bash scripts/03-patch-kernel.sh
# lalu: sudo reboot
sudo bash scripts/04-verify.sh
```
---
## 11. Referensi resmi
| Sumber | URL |
|--------|-----|
| AlmaLinux β patches production | https://almalinux.org/blog/2026-07-06-januscape-bad-epoll/ |
| Ubuntu β mitigasi nested | https://ubuntu.com/blog/januscape-linux-vulnerability-mitigations-available |
| Red Hat CVE-2026-53359 | https://access.redhat.com/security/cve/cve-2026-53359 |
| CloudLinux advisory | https://blog.cloudlinux.com/januscape-cve-2026-53359-mitigation-and-kernel-update-on-cloudlinux/ |
| TuxCare overview | https://tuxcare.com/blog/januscape-exposes-the-kvm-shadow-paging-bug-that-kept-coming-back/ |
| Proxmox discussion | https://forum.proxmox.com/threads/are-there-mitigations-available-for-cve-2026-53359-januscape.184874/ |
| Researcher write-up (jangan PoC di prod) | https://github.com/V4bel/Januscape |
---
## 12. Disclaimer
- Panduan komunitas untuk operator. Bukan pengganti advisory vendor / penasihat hukum.
- Uji di lab/staging jika memungkinkan.
- Penulis tidak bertanggung jawab atas downtime atau kerugian akibat eksekusi perintah.
- Selalu cocokkan versi kernel dengan [blog AlmaLinux](https://almalinux.org/blog/2026-07-06-januscape-bad-epoll/) terbaru.
---
## Cheat sheet
```bash
# 1) Precheck
uname -r
grep . /sys/module/kvm_*/parameters/nested 2>/dev/null
stat -c '%a %n' /dev/kvm
virsh list --state-running | wc -l
# 2) Soft (persist nested off)
echo -e 'options kvm_intel nested=0\noptions kvm_amd nested=0' | \
sudo tee /etc/modprobe.d/disable-kvm-nested.conf
# 3) Soft (/dev/kvm)
sudo chown root:kvm /dev/kvm; sudo chmod 660 /dev/kvm
# 4) Fix (maintenance)
sudo dnf clean metadata && sudo dnf upgrade -y 'kernel*'
# migrate VMs or announce downtime
sudo reboot
# 5) Verify
uname -r # >= 5.14.0-687.23.1.el9_8
```
## License
MIT β lihat [LICENSE](LICENSE).