Linux is considered to be much more secure then Windows. Over the last years however, several big Linux vulnerabilities were discovered . This definitely doesn’t mean that Linux is suddenly an insecure operating system. What it does mean is that you need to monitor and patch your systems. The same goes of course for Windows server, but I’l try to go into detail about WSUS updates in another post.
When you look at the latest Red Hat security advisories, it becomes very clear that you need to implement a system which automatically installs security updates. Doing this manually on 500+ servers would be crazy and a big waste of time. You also need make sure you always have a recent snapshot or backup in place, preferably right before the time the security updates are installed.
RunDeck allows you to do such a thing. After adding your Linux server as nodes to RunDeck, you can easily schedule a job containing a workflow where a VMware snapshot could be taken after which the installation of the security updates can be started safely.
I’ll try to go over the most famous Linux vulnerabilities and summarize some very basic information abut them.
Security bug disclosed 01/04/2014 by Neel Mehta (Google) in the OpenSSL cryptography library, qualified as a buffer over-read situation where more data can be read than should be allowed.
Everybody must have heard of Heartbleed, discovered 24/09/14 by Stephane Chazelas. Shellshock allows attackers to execute any kind of code, smuggled in environment variables. Anything that invokes the flawed open-source shell and passes in malicious variables, which seems to be surprisingly easy to do, is vulnerable to being hijacked.
The last critical security flaw to hit the news 16/01/2016 was Ghost. It’s a stack-based buffer overflow in the glibc DNS client-side resolver that puts Linux machines at risk for remote code execution. It was discovered by a Google engineer. The glibc maintainers had previously been alerted of the issue via their bug tracker in July 2015. The issue was solved by a combined effort of two engineers o the Red Hat team, the Google team and the glibc team. Check out the Google blogpost.
- CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
Kernel Zero-Day Flaw
19/01/2016 a new critical zero-day Linux vulnerability has been found in the kernel that could allow attackers to gain root privileges. It has been discovered by a research group named Perception Point. The issue was apparently present since 2012 and is the result of a reference leak in the keyrings facility built into Linux. The keyrings facility is a way to encrypt and store login data, encryption keys and certificates and make them available to applications.
A PoC was released on GitHub with an example exploit code.
Patch your impacted systems against Linux vulnerabilities
Ensure that you are running the latest patch level. If it’s a virtual machine, take a VMware snapshot first, so that in worst case scenario, you can go back.
CentOS / Red Hat / Fedora
sudo yum update bash -y
Ubuntu / Debian
sudo apt-get update && sudo apt-get upgrade
You can schedule this easily with for example Nagios Reactor. It allows you execute commands over SSH on scheduled intervals. In combination with the VMware snapshot chain, you easily create a robust patching ecosystem. Please note that Nagios reactor is completely free, but is still in beta. It also only seems to work on CentOS 6.
You can use an inline script such as this to start a yum update on your Linux serves:
WriteLog Output Info "Executing yum update"
YumOutput=$(sudo yum update -y)
WriteLog Output Info "Yum Output: \n$YumOutput"
#if [ YumSuccess -eq 0 ]; then
# WriteLog Output Info "Yum update sucessfully."
# exit 0
# WriteLog Output Error "Yum update failed."
# exit 2
WriteLog Verbose Info "Reboot: @option.reboot@"
if [[ "@option.reboot@" = "true" ]] ; then
sudo shutdown -r +1 "Server will restart in 1 minute. Please save your work."
WriteLog Output Info "Reboot in one minute initiated."
WriteLog Output Info "Server updated. No reboot scheduled."
The job only requires one variable and that I called reboot. This can be set to true or false.
This is a screenshot of the Log Output of a RunDeck job: