We’ve already patched major Linux vulnerability, PwnKit

Avatar of Max
Max
27-01-2022
News

Our shared web hosting servers, and all managed Linux servers, are already patched against a major bug that you might not have heard about yet.

Yesterday (NZ time), some worrying Linux news came out from security researchers at Qualys. They’d discovered a long-standing vulnerability in Linux that can let users turn unprivileged access to a server into full root access. Or, as they put it:

The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges…

Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable. This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009.

Most Linux servers around the world are affected, which means most MyHost servers are affected. But it’s worth noting that we haven’t seen any evidence that suggests any of our servers have actually been breached.

Patching of web hosting servers and managed servers is complete

As soon as we became aware of Pwnkit, we got to work on securing our servers.

  • All our shared web hosting servers are now patched.
  • All managed Linux servers are now patched.

So if you have a standard web hosting package with us, there’s nothing you need to do. If you have any other package or server and it’s covered by Managed Services, it’s patched too.

If you manage your own servers, act now

We have not patched unmanaged Linux servers. If you manage your own Linux VPS or other server, and especially if it has shared SSH access, you need to patch this critical vulnerability as soon as possible.

Depending on your Linux distro, patching Pwnkit can be a simple job. If you are running the latest LTS version of Ubuntu (20.04) for example, you only need to run a standard system update.

Is it time to talk with us about Server Management?

Our response to bugs like Pwnkit show how valuable our Managed Services really are. There’ll be a lot of MyHost customers who didn’t even hear of this vulnerability before we had secured their infrastructure against it.

If you’d like to talk with us about adding Managed Services to your hosting, we’re always ready to hear from you. Call 0800 454 537, or see how else you can get in touch.