Category: Server

Vulnerability in the kernel allows privilege escalation through directory manipulation

Recently Qualys security researchers (a cloud security, compliance and related services company) released details of a vulnerability what they detected and what they affect the Linux kernel.

CVE-2021-33909 affects the kernel and allows a local user to achieve code execution and escalate privileges by manipulating highly nested directories.

The vulnerability is due to the lack of validation of the result of converting size_t to type int before performing operations on the seq_file code, which creates files from a sequence of records. Lack of validation can result in writes to an area outside the buffer limits when creating, mounting, and dropping a directory structure with a very high level of nesting (path size greater than 1GB).

Any non-privileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration.

As a result, an attacker can get a 10-byte string “// deleted” with an offset of “- 2 GB – 10 bytes”, pointing to the area immediately before the allocated buffer.

The threat of vulnerability is compounded by the fact that researchers were able to prepare functional exploits on Ubuntu 20.04, Debian 11 and Fedora 34 in the default settings. It is noted that other distributions have not been tested, but theoretically, they are also susceptible to the problem and can be attacked.

Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and gain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely to be vulnerable and probably exploitable.

The work of the exploit boils down to creating a hierarchy of roughly a million directories nested via mkdir () call to achieve a file path size greater than 1GB.

This directory is bind-mount mounted in a separate user namespace, after which the rmdir () function is run to remove it. In parallel, a thread is created that loads a small eBPF program, which hangs at the stage after verifying the eBPF pseudocode, but before its JIT compilation.

In the unprivileged user ID namespace, the / proc / self / mountinfo file opens and reads the long directory path mounted with bind-mount, resulting in the line “// deleted” being written in the region before the start of the buffer. The position for writing the line is chosen in such a way that it overwrites the instruction in the already tested but not yet compiled eBPF program.

Furthermore, at the eBPF program level, uncontrolled writing out of the buffer is transformed into a read / write capability controlled in other kernel structures by manipulating the btf and map_push_elem structures.

The exploit then places the modprobe_path [] buffer in kernel memory and overwrites the path “/ sbin / modprobe” in it, allowing any executable file to be launched as root if a request_module () call is made, which is executed for example when creating a netlink socket ..

Researchers have provided several solutions that are effective only for a specific exploit, but they do not fix the problem itself.

As such it is recommended to set the parameter “/ proc / sys / kernel / unprivileged_userns_clone” to 0 to disable mounting of directories in a separate userid namespace and “/ proc sys / kernel / unprivileged_bpf_disabled” to 1 to disable the loading of eBPF programs into the kernel.

In addition to the fact that all users of a Linux distribution are also recommended to update their system to have the corresponding patch. The problem has been evident since July 2014 and it affects kernel versions since 3.16. The vulnerability patch was coordinated with the community and accepted in the kernel on July 19.

Finally, if you are interested in knowing more about it, you can consult the details in the following link.

Do you needs a dedicated server for hosting your website or application?

Your web site gets thousands of visitors regularly, at that point you ought to think about a dedicated server or you need exclusivity or Security or Company Policy you must certainly go for the dedicated server.

We should audit four reasons you ought to think about deciding for a dedicated server.

  • Your site is developing and should have the option to deal with an expansion in rush hour ?

In the event that you foresee that your site will develop rapidly, it may be a smart thought to select a devoted dedicated server now. For instance, if your site is as yet utilizing shared hosting when your traffic spikes, its presentation could drop altogether. This can be a tricky slant of higher skip rates and loss of income. It’s imperative to give yourself an opportunity to relocate your site and ‘settle’ its exhibition before any potential issues emerge.

As per FXBlog, your webpage ought to be set up to deal with spikes of up to multiple times your typical day by day traffic, to represent advancements and unique occasions. In case you’re not readied, your site could crash or in any case lead to a negative client experience (UX).

  • Security is a top priority for your site

Security is significant for each site, however particularly for those taking care of delicate data. This could incorporate secret messages, credit card numbers, or delicate client data. It’s essential to shield this data and your site from infections, hacks, and different dangers.

With a committed dedicated server, you’re totally accountable for your site’s security. This implies you can improve the highlights you requirement for the particular prerequisites of your site and put away records. Obviously, you’re likewise liable for how these highlights are executed, yet this is one of the advantages of adaptability.

Notwithstanding, a few hosts offer completely oversaw and semi-oversaw support plans. More or less, you can frequently determine what both you and your host will be answerable for, which implies you can confide with a specialist with strategic usefulness while taking care of every single other concern straightforwardly.

  • You’d like your page loading times to be ideal

Your page loading times can significantly affect for all intents and purposes for all parts of your site. Slow pages can prompt low commitment measurements and high ricochet rates. A devoted server can assist you with optimizing this part of your site however much as could be expected.

On a shared hosting server, you won’t have any knowledge of when the server’s assets are being utilized somewhere else, which could make your site run gradually. Choosing a devoted server will promise you to have the transfer speed you have to improve your page stacking times.

  • Having control over your server is critical to you

The last explanation you might need to pick a devoted exclusive dedicated server over different alternatives is a straightforward one: control. We’ve suggested this in past areas, however, committed planning gives you complete obligation over how you decide to utilize your server.

For instance, you’re even allowed to pick the server programming you like. In the event that you favor the asset control of NGINX over Apache, you have the ability to do as such. In addition, you can modify server configuration software details and introduce your own working framework. Along these lines, committed facilitating might be an alluring alternative for cutting edge web designers and those with exceptional and explicit necessities. Choose The Best Plan from Systron – Leaders in Dedicated Server hosting For over two decades.

Which dedicated server is the best for you?

There are several variant of dedicated server available with us and as per your requirements, you should choose a dedicated server setup accordingly.

  • Basic Dedicated Server 

If a client has outgrown from a shared or reseller or VPS hosting account then normally he requires a dedicated server with his basic requirements. In this case client do not require much RAM, Hard Disk and basic Operating System installed on the dedicated server. Their main aim to upgrade to a Dedicated server is to improve the website response time. AMD Servers upto 32 GB RAM are available with us.

  • High-end Dedicated Server

This probably is the next stage of a basic dedicated server hosting package where a client is expecting a good performance of the server as he has understood that his requirements are on a rise now which is then followed by a Quad-Core Configuration. However, different clients have different requirements and setup of the dedicated servers as per their selection is important. In fact, at times there are many pre-requisites that a web server hosting company should take care of. Systron Offers Intel Dedicated Servers with 64 GB Of memory. If you want higher configuration contact sales@systron.net, Servers with memory up to 256 GB RAM can be provisioned within 24 hours of order.

  • Bandwidth Dedicated Server 

This server is required when a client needs to run live Audio/video streaming websites such as you-tube. He will not only need a high-specs server configuration, but also a good amount bandwidth which ranges from basic standard metered bandwidth per month to un-metered bandwidth of 100Mbps or 1Gbps Un-metered Bandwidth because the requirement of Data Transfer is high on these kinds of websites and it should be able to download or upload on the server as fast as possible. Systron offers 10GBps to 100 Gbps Ports for such type of hosting.

  • Database Dedicated Server 

Those who run Databases such as MySQL or MariaDB or PostgreSQL or MS SQL on a dedicated server are known as Database Dedicated Server Hosting. To host database server you will require more resources and higher-end server configurations in order to completely manage dedicated servers. Systron offers various specs according to your need, contact sales@systron.net.

  • Application Dedicated Server

The servers which are utilized to host Applications are known as Application Dedicated Web Servers. The client can host all kinds of legal applications such as live chat software, Flash tutorials, Media file installations, PHP Applications, .NET Applications, Node.js and other frameworks works well with such dedicated servers

  • Server Mirroring Dedicated Server

Many clients require their data mirrored to another server. This is because they do not wish to lose any data at any point in time. Servers are synchronized in order to transfer data from one server to another. RAID Configurations are set up on the same theme as dedicated Server mirroring. The only main difference is that RAID mirrors/strips on Hard Disks and Server Mirroring is the Server concept.

  • Email Hosting Dedicated Server

For securely hosting all your emails on your own dedicated server, you should order a dedicated server preferably with Plesk panel. Systron Technical support will help you set up, SPF records, DKIM and DMARC.  Apart from it bundling this solution with  Spam Filtering and Email Continuity solution would give you robust results.

Dedicated Server Hosting is here to stay for long

Shared web hosting can appear to be an amazing value from a cost point of view, with feature-packed products available for just a few dollars every month. But the reality is often very different, and they’re not always the bargains they seem, Performance will be poor as there aren’t enough resources to go around, and the extra load could mean more server problems and downtime, they do not withstand the performance needed to exploit the surging businesses.

Opting for a dedicated server means that you get an entire server to yourself. There’s no sharing of CPU time, RAM, or bandwidth, which means your website stays responsive at all times.

Dedicated Server hosting implies that you also get far more control over how the server is configured. You can add and remove software, install updates, or tweak all settings, allowing you to optimize the server for your specific needs.

Best of all, dedicated server hosting contracts often come with fast and knowledgeable support. Systron Micronix will even monitor your server for issues, like failed services, and can often fix them before you’ve realized there was a problem.

This kind of power doesn’t come cheap, and although there are some good signup deals around, you can easily spend $100-$1000 a month and more on just a package that suits your needs.

With that kind of investment, it’s important to make the right choice for right dedicated server. Systron Micronix Fits on all parameters of scalability, Security, Performance and Support at a very reasonably priced cost. Systron accepts payments using all major credit cards, PayPal and BitCoin.