Future Hosting, a specialized VPS and managed dedicated server
hosting provider, has advised server administrators to update Linux
server operating systems as soon as possible. The advice is a response
to the recent discovery of a serious privilege escalation vulnerability
in the Linux kernel (as reported in Ars Technica on October 20).
The
so-called "Dirty Cow" vulnerability has been part of the Linux kernel
for more than a decade, and there is evidence of it being actively
exploited by online criminals and hackers.
The vulnerability can
be used by a local user to gain elevated permissions, allowing them to
read and write data to memory and system files. Once a malicious user
has leveraged the vulnerability to gain root user permissions, all users
of the server are at risk.
The vulnerability is a particular
threat to web hosting providers, who commonly give accounts on the same
server to many different clients. On an unpatched server, any one of
those users could leverage the vulnerability to gain access to the data
of other users.
"Although Future Hosting immediately patched its
managed servers when news of the vulnerability broke, we're concerned
that there may be many thousands of servers that remain unpatched," said
Maulesh Patel, VP of Operations of Future Hosting, "This vulnerability
is especially problematic for multi-tenancy servers, including those
used for web hosting. Responsible web hosting providers should
proactively patch vulnerable servers."
Although the vulnerability
requires a malicious user to have an account on the server, it could be
combined with other vulnerabilities to allow the remote execution of
arbitrary code with root permissions. Any vulnerability that provides
shell access or allows the execution of code on the server - as in the
case of an SQL-injection attack - can be combined with the privilege
escalation vulnerability.