Virtualization Technology News and Information
Future Hosting Warns Server Admins Of Dangerous Privilege Escalation Vulnerability
Future Hosting, a specialized VPS and managed dedicated server hosting provider, has advised server administrators to update Linux server operating systems as soon as possible. The advice is a response to the recent discovery of a serious privilege escalation vulnerability in the Linux kernel (as reported in Ars Technica on October 20).

The so-called "Dirty Cow" vulnerability has been part of the Linux kernel for more than a decade, and there is evidence of it being actively exploited by online criminals and hackers.

The vulnerability can be used by a local user to gain elevated permissions, allowing them to read and write data to memory and system files. Once a malicious user has leveraged the vulnerability to gain root user permissions, all users of the server are at risk.

The vulnerability is a particular threat to web hosting providers, who commonly give accounts on the same server to many different clients. On an unpatched server, any one of those users could leverage the vulnerability to gain access to the data of other users.

"Although Future Hosting immediately patched its managed servers when news of the vulnerability broke, we're concerned that there may be many thousands of servers that remain unpatched," said Maulesh Patel, VP of Operations of Future Hosting, "This vulnerability is especially problematic for multi-tenancy servers, including those used for web hosting. Responsible web hosting providers should proactively patch vulnerable servers."

Although the vulnerability requires a malicious user to have an account on the server, it could be combined with other vulnerabilities to allow the remote execution of arbitrary code with root permissions. Any vulnerability that provides shell access or allows the execution of code on the server - as in the case of an SQL-injection attack - can be combined with the privilege escalation vulnerability.

Published Monday, October 31, 2016 9:28 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2016>