Over the past weeks multiple vulnerabilities were published that can affect VPS users on our platform. These recent vulnerabilities (Copy Fail, Dirty Frag and Fragnesia) were all so-called privilege escalation bugs, where people who already had some type of access could expand that beyond their intended rights. All of these vulnerabilities are now patched in the newest kernels.
We are writing this blogpost to provide a bit of background on such vulnerabilities, and the responsibilities involved.
The current fix
The vulnerability existed in the kernel of Linux. We patched these kernels as soon as we were aware of the vulnerabilities. The vulnerabilities have all been fixed. If you are using kernel version 6.12.90 or higher, you are safe from these vulnerabilities.
For the majority of our VPS users, restarting your VPS(es) is sufficient. This can be done either from the Service Centre, or by issuing the reboot command from inside the VPS itself.
If your VPS is covered under an SLA (Service Level Agreement, or maintenance contract), we have already upgraded the kernel of your VPS for you, no action is required in that case.
When is restarting not sufficient
By default our VPS's, load the kernel outside of the VPS. This allows us to update the kernel for you, so that only a reboot is required to load the latest kernel. It is however also possible to create a VPS where you manage the kernel yourself. If during creation you instead selected an Linux image with "(stock kernel)" behind it, the kernel is managed (by you) on the VPS instead, and you will have to take different steps to patch these vulnerabilties.
If you do not recall the installation process, you can check who manages the kernel for your VPS by any of these methods:
- You can see what kernel is in use in our Service Centre. This can be seen under "VPS Cloud" > "VPSs" > "Manage VPS" > "Details". When this shows "Kernel: latest" the kernel is managed by Greenhost.
- Logged in on the VPS you can see what kernel is currently in use. If you just restarted, and we manage the kernel for you, that kernel should be version 6.12.90 or higher.
How to patch when using stock kernel
If you manage the kernel yourself, and the current version is lower than 6.12.90, it needs to be updated manually. For this you can issue the following commands on the VPS:
apt-get update
apt-get dist-upgrade
reboot
VPS vulnerabilities and responsibilities
If you previously ran one (or both) of the patches we suggested, you can undo these with the following commands:
rm /etc/modprobe.d/dirtyfrag.conf
rm /etc/modprobe.d/disable-algif.conf
General Responsibilities
As host, we try to stay aware of any vulnerabilities. If we learn of any that are serious, we also try to inform our customers about them.
To this end, we have posted messages through our Service Centre, via Fediverse and for one of the vulnerabilities also via e-mail. However, we cannot guarantee to be always able to send warnings like this.
When a vulnerability is made public, there are several things we need to do:
Firstly we need to assess the impact the bug may have on our own systems, and address that. Then we need to assess the impact the bug may have on customer systems under our control and address that.
Only after that can we start to assess what impact a bug may have on customer systems that are not under under our control. The variety of machines this concerns is big, and we have only limited knowledge of what the VPSes are used for. Therefore it is very hard to assess what the impact would be, and which VPSes could be affected.
That is a judgement call we can not reliably make, not to mention the fact that we will not always be able to find time for this and that we do not want to overload our customers with emails. Especially with the unexpected rate these vulnerabilities are currently published.
Therefore, we want to make it clear that, even as we try to inform our customers in case of relevant vulnerabilities or events, we will not always be able to do so in a complete and timely manner.
When you choose to run a VPS, keeping up with updates and following news about these kinds of vulnerabilities, remains your own responsibility.
To partially automate keeping your system up-to-date you might want to consider installing unattended-upgrades (on Debian or Ubuntu) and configure this to also reboot after updates.
Please let us know if you have any further questions about this. We are of course happy to provide further advice when needed. You can use our contact form or send us an e-mail at support@greenhost.net.