Linux Vulnerabilities Overview

Introduction

Linux is considered to be much more secure then Windows. Over the last years however, several big Linux vulnerabilities were discovered . This definitely doesn’t mean that Linux is suddenly an insecure operating system. What it does mean is that you need to monitor and patch your systems. The same goes of course for Windows server, but I’l try to go into detail about WSUS updates in another post.

When you look at the latest Red Hat security advisories, it becomes very clear that you need to implement a system which automatically installs security updates. Doing this manually on 500+ servers would be crazy and a big waste of time. You also need make sure you always have a recent snapshot or backup in place, preferably right before the time the security updates are installed.

RunDeck allows you to do such a thing. After adding your Linux server as nodes to RunDeck, you can easily schedule a job containing a workflow where a VMware snapshot could be taken after which the installation of the security updates can be started safely.

I’ll try to go over the most famous Linux vulnerabilities and summarize some very basic information abut them.

Heartbleed

Security bug disclosed 01/04/2014 by Neel Mehta (Google) in the OpenSSL cryptography library, qualified as a buffer over-read situation where more data can be read than should be allowed.

  • CVE-2014-0160

Linux vulnerabilities Hearthbleed

Shellshock (Bashdoor)

Everybody must have heard of Heartbleed, discovered 24/09/14 by Stephane Chazelas. Shellshock allows attackers to execute any kind of code, smuggled in environment variables. Anything that invokes the flawed open-source shell and passes in malicious variables, which seems to be surprisingly easy to do, is vulnerable to being hijacked.

Just in case specific CGI scripts are vulnerable, you could use Shellshock Tester or Shellshock Test Tool.

  • CVE-2014-6271
  • CVE-2014-6277
  • CVE-2014-6278
  • CVE-2014-7169
  • CVE-2014-7186
  • CVE-2014-7187

Linux vulnerabilities Shellshock

Ghost

The last critical security flaw to hit the news 16/01/2016 was Ghost. It’s a stack-based buffer overflow in the glibc DNS client-side resolver that puts Linux machines at risk for remote code execution. It was discovered by a Google engineer. The glibc maintainers had previously been alerted of the issue via their bug tracker in July 2015. The issue was solved by a combined effort of two engineers o the Red Hat team, the Google team and the glibc team. Check out the Google blogpost.

  • CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

Linux vulnerabilities Ghost

Kernel Zero-Day Flaw

19/01/2016 a new critical zero-day Linux vulnerability has been found in the kernel that could allow attackers to gain root privileges. It has been discovered by a research group named Perception Point. The issue was apparently present since 2012 and is the result of a reference leak in the keyrings facility built into Linux. The keyrings facility is a way to encrypt and store login data, encryption keys and certificates and make them available to applications. 

A PoC was released on GitHub with an example exploit code.

  • CVE-2016-0728

Patch your impacted systems against Linux vulnerabilities

Ensure that you are running the latest patch level. If it’s a virtual machine, take a VMware snapshot first, so that in worst case scenario, you can go back.

CentOS / Red Hat / Fedora

Ubuntu / Debian

You can schedule this easily with for example Nagios Reactor. It allows you execute commands over SSH on scheduled intervals. In combination with the VMware snapshot chain, you easily create a robust patching ecosystem. Please note that Nagios reactor is completely free, but is still in beta. It also only seems to work on CentOS 6.

RunDeck

You can use an inline script such as this to start a yum update on your Linux serves:

The job only requires one variable and that I called reboot. This can be set to true or false.

This is a screenshot of the Log Output of a RunDeck job:

DAF Linux Yum

 

 

 

Cryan Syntax Highlighter Examples

Introduction

Syntax highlighting allows code in posts to be highlighted based on the language it’s written in, to make it easier to read. The Cryan Syntax Highlighter code is Open Source. You can find it not GitHub here. It is written in PHP and jQuery and supports customizable languages and themes.

There are so many different themes, I decided to make list of examples to make it easier choosing the one that fits best for the job. Being able to choose from so many themes is pretty awesome to start with. Even better though is the Crayon Syntax Highlighter Theme Editor, which allows you to duplicate a theme and edit it with your own preferences and / or personal house style.

OutsideIT Theme

Other Themes

1c Kod

 1c Zapros

809finest

 Ado

 Amiti

Arduino Ide

 Bncplusplus

 Capacitacionti

 Cg Cookie

 Cisco Router

Classic

Coda Special Board

Coy

Dark Terminal

Eclipse

 Epicgeeks

 Familiar

 Feeldesign

Flatui Light

Github

Idle

Inlellij Idea

 Iris Vfx

Kaderu

Kayote

Light Abite

 Mirc Dark

Mm Dark Blue

Monokai

 Neon

 Obsidian

 Obsidian Light

 Onderka15

Orange Code

Plain White

Powershell

Powershell ISE

Prism Like

PsPad

Qtcreator

Raygun

Secrets Of Rock

Shell Default

Solarized Dark

Solarized Light

Son Of Obsidian

Ssms2012

Sublime Text

Terminal

Tomorrow

Tomorrow Night

Turnwall

Twilight

Visual Assist

Vs2012

 Vs2012 Black

 X3info

Xcode

Cryan Syntax Highlighter Options

This is a screenshot of the pop you get when adding code. As you can see the basics are very simple.

crayon-syntax-highlighter-config

But if you want more options, no problems. Scroll down to the settings and play around with all the possible settings.

crayon-syntax-highlighter-settings

Final Words

The featured image of this post has become my  default theme of choice for most pieces of code. It would be nice to have a way to change the theme of all the highlighted code I put on my website at once. If anyone knows how to do this, please let me know.