Linux Vulnerabilities Overview


Linux is considered to be much more secure then Windows. Over the last years however, several big Linux vulnerabilities were discovered . This definitely doesn’t mean that Linux is suddenly an insecure operating system. What it does mean is that you need to monitor and patch your systems. The same goes of course for Windows server, but I’l try to go into detail about WSUS updates in another post.

When you look at the latest Red Hat security advisories, it becomes very clear that you need to implement a system which automatically installs security updates. Doing this manually on 500+ servers would be crazy and a big waste of time. You also need make sure you always have a recent snapshot or backup in place, preferably right before the time the security updates are installed.

RunDeck allows you to do such a thing. After adding your Linux server as nodes to RunDeck, you can easily schedule a job containing a workflow where a VMware snapshot could be taken after which the installation of the security updates can be started safely.

I’ll try to go over the most famous Linux vulnerabilities and summarize some very basic information abut them.


Security bug disclosed 01/04/2014 by Neel Mehta (Google) in the OpenSSL cryptography library, qualified as a buffer over-read situation where more data can be read than should be allowed.

  • CVE-2014-0160

Linux vulnerabilities Hearthbleed

Shellshock (Bashdoor)

Everybody must have heard of Heartbleed, discovered 24/09/14 by Stephane Chazelas. Shellshock allows attackers to execute any kind of code, smuggled in environment variables. Anything that invokes the flawed open-source shell and passes in malicious variables, which seems to be surprisingly easy to do, is vulnerable to being hijacked.

Just in case specific CGI scripts are vulnerable, you could use Shellshock Tester or Shellshock Test Tool.

  • CVE-2014-6271
  • CVE-2014-6277
  • CVE-2014-6278
  • CVE-2014-7169
  • CVE-2014-7186
  • CVE-2014-7187

Linux vulnerabilities Shellshock


The last critical security flaw to hit the news 16/01/2016 was Ghost. It’s a stack-based buffer overflow in the glibc DNS client-side resolver that puts Linux machines at risk for remote code execution. It was discovered by a Google engineer. The glibc maintainers had previously been alerted of the issue via their bug tracker in July 2015. The issue was solved by a combined effort of two engineers o the Red Hat team, the Google team and the glibc team. Check out the Google blogpost.

  • CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

Linux vulnerabilities Ghost

Kernel Zero-Day Flaw

19/01/2016 a new critical zero-day Linux vulnerability has been found in the kernel that could allow attackers to gain root privileges. It has been discovered by a research group named Perception Point. The issue was apparently present since 2012 and is the result of a reference leak in the keyrings facility built into Linux. The keyrings facility is a way to encrypt and store login data, encryption keys and certificates and make them available to applications. 

A PoC was released on GitHub with an example exploit code.

  • CVE-2016-0728

Patch your impacted systems against Linux vulnerabilities

Ensure that you are running the latest patch level. If it’s a virtual machine, take a VMware snapshot first, so that in worst case scenario, you can go back.

CentOS / Red Hat / Fedora

Ubuntu / Debian

You can schedule this easily with for example Nagios Reactor. It allows you execute commands over SSH on scheduled intervals. In combination with the VMware snapshot chain, you easily create a robust patching ecosystem. Please note that Nagios reactor is completely free, but is still in beta. It also only seems to work on CentOS 6.


You can use an inline script such as this to start a yum update on your Linux serves:

The job only requires one variable and that I called reboot. This can be set to true or false.

This is a screenshot of the Log Output of a RunDeck job:

DAF Linux Yum




Cryan Syntax Highlighter Examples


Syntax highlighting allows code in posts to be highlighted based on the language it’s written in, to make it easier to read. The Cryan Syntax Highlighter code is Open Source. You can find it not GitHub here. It is written in PHP and jQuery and supports customizable languages and themes.

There are so many different themes, I decided to make list of examples to make it easier choosing the one that fits best for the job. Being able to choose from so many themes is pretty awesome to start with. Even better though is the Crayon Syntax Highlighter Theme Editor, which allows you to duplicate a theme and edit it with your own preferences and / or personal house style.

OutsideIT Theme

Other Themes

1c Kod

 1c Zapros




Arduino Ide



 Cg Cookie

 Cisco Router


Coda Special Board


Dark Terminal





Flatui Light



Inlellij Idea

 Iris Vfx



Light Abite

 Mirc Dark

Mm Dark Blue




 Obsidian Light


Orange Code

Plain White


Powershell ISE

Prism Like




Secrets Of Rock

Shell Default

Solarized Dark

Solarized Light

Son Of Obsidian


Sublime Text



Tomorrow Night



Visual Assist


 Vs2012 Black



Cryan Syntax Highlighter Options

This is a screenshot of the pop you get when adding code. As you can see the basics are very simple.


But if you want more options, no problems. Scroll down to the settings and play around with all the possible settings.


Final Words

The featured image of this post has become my  default theme of choice for most pieces of code. It would be nice to have a way to change the theme of all the highlighted code I put on my website at once. If anyone knows how to do this, please let me know.