Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel.
A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.
Impact
- An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system and gain root access instantly.
- This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set.
It’s highly recommended to patch the system kernel in all Debian, Ubuntu, CentOS and RHEL distros to prevent system breakage.
Are you running a vulnerable version?
If you are not a customer subscribed under our Server Management plan and would like to have this vulnerability patched please purchase a 1x Hour of Support plan.
Don’t hesitate to contact us for any questions you may have through our Contact Form page or LiveChat!
A new Parallels Plesk Panel privilege escalation vulnerabilities have been discovered (VU#310500 and CVE-2013-0132, CVE-2013-0133)
- Plesk’s /usr/sbin/suexec binary (the binary may be present in additional locations, always with suexec in the filename) always allows the binary ‘cgi-wrapper’, bypassing restrictions on the ownership of the file to be called. Since cgi-wrapper’s function is to execute a PHP script based on environment variables (and suexec does not sanitize these environment variables) this allows execution of arbitrary PHP code with a user id above a minimum user ID value that is hardcoded in the suid binary. CVE-2013-0132
- The program /usr/local/psa/admin/sbin/wrapper allows the user psaadm to execute various administrative scripts with root privileges. Some of these scripts call external programs without specifying the full path. By specifying a malicious PATH environment variable, an attacker can cause the administrative scripts to call his own program instead of the intended system program. CVE-2013-0133
Parallels Plesk Panel versions 9.x-11.x with Apache web server running mod_php, mod_perl, mod_python, etc. is vulnerable to authenticated user privilege escalation. Authenticated users are users that have login to Parallels Plesk Panel (such as f.e. your customers, resellers, or your employees).
Patching the server with the latest MU’s is extremely mandatory.
We highly suggest purchasing our Full Security Audit plan to update/patch and confirm your server hasn’t been compromised.
Should you have further questions please don’t hesitate to contact our Customer Support Team available 24/7 !
There is a new SSHD rookit rolling around since few days ago, it looks it’s affecting mostly RHEL/CentOS servers.
Servers with cPanel, Plesk, VirtualMin and DirectAdmin are affected well.
According to a Security Audition in one of the hacked servers we found the Rootkit deposits files in /lib64 and /lib, main file name is libkeyutils.so.1.9.
It changes symlinks of /lib64/libkeyutils.so.1 to point to the mentioned lib.
We believe this lib is capable of stealing passwords, SSH keys and /etc/shadow files from the server. It’s also used as a backdoor to
gain access to the server through a different port, the rootkit will also modify all the authentication mechanisms of the server preventing any login or command history to be logged through this backdoor.
The intruder has full root access which means there is a exploit among with this rootkit capable of root privilege escalation.
You can see if your server is infected by running the following script:
# wget -qq -O - http://www.serverbuddies.com/files/libkeyutilscheck.sh | sh
We highly encourage our customers to submit a 1x Hour of Support if you see the script is showing your server as compromised.
Don’t hesitate to contact our Support Team for any inquiry you may have!
Parallels Plesk Panel Server backup repository
Server backup repository location.
As of Parallels Plesk Panel version 9.0, the structure and location of the server backup repository have both changed.
The root backup directory is now stored in the file /etc/psa/psa.conf, while it is still set by the variable DUMP_D as before:
Backups directory
DUMP_D /var/lib/psa/dumps
Server backups, backups of resellers, clients, domains, and daily MySQL dumps are now stored in this directory.
How to verify Apache web server status - Parallels Plesk Panel for Linux/Unix.
The name of Apache 2 binary on Debian and SuSE OSes is “apache2,” not “httpd” as it is on Red Hat-based Linux distributions or FreeBSD.
# ps ax | grep httpd | grep -v grep
If not, try to start Apache from Plesk CP or via command line. If you get an error, check /var/log/httpd/error_log (/var/log/apache2/error_log on SuSE and Debian, /usr/local/psa/apache/logs/error_log on FreeBSD)
Make sure that Apache is listening on the both HTTP and HTTPS ports (80/443) on all needed IP addresses:
# netstat -l | grep http
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:https *:* LISTEN