Two critical security issues related to hosting and servers.

ukwebhosting

Free Member
  • Business Listing
    Jun 9, 2011
    249
    67
    UK
    Hi,

    Over the last few days there have been 2 critical security issues around hosting and Linux

    The first is one for cPanel & WHM and is rated 9.8 Critical as it allows unauthenticated root level acces to the control panel.


    If you run or have hosting on a cPanel server check with your host that they have updated to a patched version of the cPanel tier they are running.

    The second affects every mainstream version of Linux since 2017!


    It can be exploited fairly easily to gain root access to an affected server

    Again if you run a Linux server or have hosting on one you should check with your provider if they have mitigated against this exploit (there are some fixes coming online but mainly mitigations at this point)

    Both pretty serious and I am sure most hosts have it under control/in hand but by the law of averages some will not so better to be safe than sorry!

    Paul
     

    ctrlbrk

    Free Member
    May 13, 2021
    1,045
    441
    Thanks @ukwebhosting.

    Trying to read into this:

    By chaining an AF_ALG socket operation with splice(), an unprivileged local user can perform a controlled 4-byte write to an arbitrary page-cache-backed page, targeting a setuid binary such as /usr/bin/su to obtain a root shell [1].

    "Unprivileged local user": doesn't this mean that someone would have to gain access to the server first, to be able to then attempt the exploit?
     
    Upvote 0

    ukwebhosting

    Free Member
  • Business Listing
    Jun 9, 2011
    249
    67
    UK
    Thanks @ukwebhosting.

    Trying to read into this:



    "Unprivileged local user": doesn't this mean that someone would have to gain access to the server first, to be able to then attempt the exploit?
    Hi

    Yes it does indeed.

    A good example would be an exploited Wordpress site or any of the others etc or simply a bad actor purchasing a hosting package to gain that access.

    But once they have that access it is relatively easy to exploit and elevate to a privileged user.

    Thanks

    Paul
     
    Upvote 0

    ukwebhosting

    Free Member
  • Business Listing
    Jun 9, 2011
    249
    67
    UK
    Just so I'm clear, the examples you mentioned here would apply to a shared hosting instance?

    By that I mean, these examples would not apply to, say, a VPS scenario, would they?
    The WHM/cPanel applies if you're running cPanel/WHM on any server including a VPS

    For this you do not need to get access to the server first, there are some nuances etc however it is broken down here https://labs.watchtowr.com/the-inte...nel-whm-authentication-bypass-cve-2026-41940/

    And if you have a VPS and it runs cPanel/WHM then you absolutely can be exploited if not updated to a patched version, the only difference is a shared hosting server would just be running many more sites so its all down to the amount of damage.

    For the second Linux kernel issue then you would need access to a Linux server first but as mentioned that could be by an exploited Wordpress site or any of the others etc or simply a bad actor purchasing a hosting package to gain that access.

    This one also applies to a VPS

    And that is a relatively easy exploit once you have that.

    Are you running Linux? and what flavour?

    Thanks

    Paul
     
    Upvote 0

    ctrlbrk

    Free Member
    May 13, 2021
    1,045
    441
    For the second Linux kernel issue then you would need access to a Linux server first but as mentioned that could be by an exploited Wordpress site or any of the others etc or simply a bad actor purchasing a hosting package to gain that access.

    This one also applies to a VPS

    And that is a relatively easy exploit once you have that.

    Are you running Linux? and what flavour?
    Yes, I do have a debian VPS.

    I do understand your exploited Wordpress site example, but I struggle to understand the bad actor purchasing a hosting package - they would still need to gain local access to the server first wouldn't they? And how would that be accomplished?

    Thanks.
     
    Upvote 0

    ukwebhosting

    Free Member
  • Business Listing
    Jun 9, 2011
    249
    67
    UK
    Yes, I do have a debian VPS.

    I do understand your exploited Wordpress site example, but I struggle to understand the bad actor purchasing a hosting package - they would still need to gain local access to the server first wouldn't they? And how would that be accomplished?

    Thanks.
    Yes, I do have a debian VPS.

    I do understand your exploited Wordpress site example, but I struggle to understand the bad actor purchasing a hosting package - they would still need to gain local access to the server first wouldn't they? And how would that be accomplished?

    Thanks.
    This probably explains it best https://copy.fail/

    However briefly it just needs a normal unprivileged user like every hosting account would receive for example hence the bad actor vector if you like.

    Thanks

    Paul
     
    • Like
    Reactions: ctrlbrk
    Upvote 0

    fisicx

    Moderator
    Sep 12, 2006
    46,916
    8
    15,504
    Aldershot
    www.aerin.co.uk
    How does a compromised WP site give you root access to the server?

    I can sort of see how they could gain access to the cPanel of that site but not the server root.
     
    Upvote 0

    ukwebhosting

    Free Member
  • Business Listing
    Jun 9, 2011
    249
    67
    UK
    How does a compromised WP site give you root access to the server?

    I can sort of see how they could gain access to the cPanel of that site but not the server root.
    It’s less at that point related to wordpress as that is just a way to upload a shell script for example or any manner of other bits and pieces.

    After that wordpress is irrelevant it’s just an open window into the files etc so to speak.

    Which then allows the exploit to be used which gives you root access.

    A proof of concept is here https://copy.fail/

    It could be Wordpress, Zen Cart, Joomla etc etc basically usually one that has not been kept upto date and something they are using has an active vulnerability.

    Thanks

    Paul
     
    • Like
    Reactions: fisicx
    Upvote 0

    gpietersz

    Free Member
  • Business Listing
    Sep 10, 2019
    2,796
    2
    749
    Northwhich, Cheshire
    pietersz.net
    @WebPulselab I am curious about how you run cPanel & WHM inside a container still giving them access to everything they manage but somehow not able to damage the sites they manage. This seems contradictory to me.

    If you mean the Linux kernel issue, it can escape containers. Unless your container host disabled the relevant features you were just lucky AFAIK.

    The common scenarios for running cPanel and WHM are shared hosts (again, interested to know how you containerise that) or people who want a web UI for managing a server or VPS. In the last case its already an isolated system.
     
    Upvote 0
    Maybe this is a good advert for Webmin & Blesta for server/hosting management!
     
    Upvote 0
    @gpietersz nice to meet you.
    I am not using cPanel and WHM at all. For my opinion it is no serious to host an average website within shared hosting where one of websites could be out of resources because all of them consumes by some other. Also there is no way for scaling project.

    About Linux kernel issue is it depends on cloud provider: your stack can be redeployed on up to date version if there are in the list or downgraded in the same way to avoid facing the issue

    BTw, CPanel and WHM can be deployed like Docker container but still for end customers it will be shared hosting with a limited access.
     
    Upvote 0

    fisicx

    Moderator
    Sep 12, 2006
    46,916
    8
    15,504
    Aldershot
    www.aerin.co.uk
    @gpietersz nice to meet you.
    I am not using cPanel and WHM at all. For my opinion it is no serious to host an average website within shared hosting where one of websites could be out of resources because all of them consumes by some other. Also there is no way for scaling project.

    About Linux kernel issue is it depends on cloud provider: your stack can be redeployed on up to date version if there are in the list or downgraded in the same way to avoid facing the issue

    BTw, CPanel and WHM can be deployed like Docker container but still for end customers it will be shared hosting with a limited access.
    None of that means anything to your average website owner (ie me).

    Shared hosting works just fine for many. Most businesses will have a brochure type site that attracts only a few visitors each day. Decent shared hosting won't let any one site consume all the resources. If you choose a £1.99 hosting package that's different.
     
    • Like
    Reactions: gpietersz
    Upvote 0

    gpietersz

    Free Member
  • Business Listing
    Sep 10, 2019
    2,796
    2
    749
    Northwhich, Cheshire
    pietersz.net
    I am not using cPanel and WHM at all.

    So the vulnerabilities do not exist in the containers you manage because you are not running the software that contains the vulnerabilities? Yes, that would definitely work. 😂

    For my opinion it is no serious to host an average website within shared hosting
    For small business websites there is a tradeoff between convenience, cost and security. Its not something I ever use (even the shared host I do use for my personal requires you do things on the command line over ssh) for a web server but I am used to admining web servers. For someone running a small site for a small business its may not be worth the extra cost of paying someone to admin, or the time to acquire the skills themselves.
     
    Upvote 0

    Latest Articles