Critical Linux Vulnerability Alert: glibc

A critical security vulnerability has been announced in the GNU glibc library.

This vulnerability affects virtually all Linux servers. The glibc library contains a buffer overflow vulnerability in the DNS resolver, which may allow a remote attacker to execute arbitrary code and remotely take control of your server.

Fixing this vulnerability requires updating “glibc” packages and restarting the service.

Read more

Critical Linux Vulnerability Alert: BIND9

A critical security vulnerability has been announced in the BIND9 DNS server.

This vulnerability affects all implementations of the Domain Name System (DNS) server Bind. It potentially allows any remote attacker to disable your Bind DNS server which could cause an interruption in your Web, Email, and other services.

Fixing this vulnerability requires updating “bind” packages and restarting the service.

Read more

Critical Linux Vulnerability Alert: Ghost

A major security exploit has recently been identified and announced by security experts, nicknamed the “Ghost”. It is especially severe because it potentially allows remote users to gain complete root control over Linux servers.

Ghost affects most Linux distributions. Resolving the vulnerability requires updating the glibc package AND rebooting your server.

Read more

Ubuntu 10.04 End Of Life is Approaching

Ubuntu 10.04.4 (LTS) Desktop and Server editions were released on February 16, 2012. This very popular and stable release was installed on thousands of computers around the world. The Desktop edition reached End Of Life (EOL) on May 9, 2013, but the Server edition is supported until April 2015. See https://wiki.ubuntu.com/Releases. With the EOL date quickly approaching, Ubuntu 10.04.4 is still running on many servers across the Internet. Is yours one of them?

After reaching EOL, a release no longer receives security or bug fixes from Canonical. That leaves computers which continue to run the EOL release vulnerable to any new security flaws which are subsequently discovered. With the recent rash of problems like Heartbleed, Poodle, and Shellshock, the need to keep your server up to date is clear.

Canonical provides an upgrade path between LTS (long term support) releases. For a server running 10.04.4, the upgrade path would be to 12.04. Performing this upgrade can be a simple process:

sudo apt-get update                                       ;update available packages
sudo apt-get upgrade                                     ;run the update on the current release
sudo apt-get install update-manager-core     ;install the upgrade tool if needed
do-release-upgrade                                       ;perform the upgrade

This process does not always go smoothly however, and can result in a server that won’t boot. Before attempting the upgrade, be sure that you have a reliable backup of all your server’s important data such as website content, databases, email and configuration files. If the upgrade process fails, you’ll at least then be able to restore the data to a working machine.

A far less risky strategy is to install a more recent operating system such as Ubuntu 14.04 onto a separate server, and then copy over the content from your old server. There are usually bugs to work out such as incompatibilities between versions of Apache, PHP or MySQL for example. It’s much less stressful to solve these problems on a separate test server than it is to solve them on a production server which was broken by a failed release upgrade.

Take the time now to plan your upgrade strategy and to verify that your backups are working. Pantek has performed operating system upgrades for many happy clients and we’d like to schedule yours before the upcoming April 2015 EOL date arrives. Don’t wait until the last minute.. call us now!

Critical Linux Vulnerability Alert: Poodle

A new critical exploit has been announced in the form of a vulnerability of a legacy encyption implementation, SSLv3.  The POODLE bug exploits an older encryption protocol and may allow a hacker to gain access to a secure session between a client and server utilizing SSLv3.  More info on Poodle can be found here:

https://www.us-cert.gov/ncas/alerts/TA14-290A

This flaw in SSLv3 may allow hackers to gain access to encrypted information such as HTTP cookies used in the session via a man-in-the-middle attack.

This vulnerability is not as critical as Shellshock or Heartbleed as attackers cannot exploit this flaw remotely. However, it is important to fix this issue as it could put sensitive data at risk of being exposed. Resolving this issue is also required for PCI compliance.

This attack requires both the client and the server to be using SSLv3 in order to be exploited.  The easiest way to protect yourself is to upgrade one or both ends of the connection.  On the client side, the only browser that still does not support TLS is Internet Explorer 6.  Fixing this bug will effectively leave IE6 users out in the cold, security-wise.  Modern browsers have the capability to turn off SSLv3 connections.  See: http://www.tomsguide.com/us/poodle-fix-how-to,news-19775.html

You can test your site to see if it is vulnerable to the POODLE bug at: https://www.poodlescan.com/

All Pantek Support Engineers have been advised of this issue, and trained in the appropriate response procedure. If you would like our assistance in determining if your server has been affected, or to fix the vulnerability, please open a Support Ticket via the Pantek Portal: https://portal.pantek.com/clientarea.php

Pantek Clients who have purchased a Managed Service Plan will receive a separate notification, as management of these third-party security issues is included without incurring extra charges.

You can find more details on our Managed Service Plans here:  http://www.pantek.com/managed

Critical Linux Security Vulnerability Alert: Shellshock

A major security exploit has recently been identified and announced by security experts, nicknamed Shellshock. It is especially severe because it potentially allows remote users to gain complete root control over Unix, Linux, and OSX servers through an exploit in the Bash shell.

Due to the extreme severity rating of this vulnerability (10), we are informing all Pantek clients, and encourage you to check your server status immediately.

You can find out more details of this vulnerability here:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

This vulnerability affects versions 1.14 through 4.3 of GNU Bash.

Patches have been issued by many of the major Linux distribution vendors:

  • Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
  • CentOS (versions 5 through 7)
  • Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
  • Debian

All Pantek Support Engineers have been advised of this issue, and trained in the appropriate response procedure. If you would like our assistance in determining if your GNU Bash has been affected, or to fix the vulnerability, please open a Support Ticket via the Pantek Portal: https://portal.pantek.com/clientarea.php

Pantek Clients who have purchased a Managed Service Plan will receive a separate notification, as management of these third-party security issues is included without incurring extra charges.

You can find more details on our Managed Service Plans here: 

http://www.pantek.com/managed

IMPORTANT UPDATE: Major New SSL Vulnerability

A major new SSL vulnerability has been recently identified by security experts, nicknamed the “CCS Injection Vulnerability” or “MITM CCS Injection Attack”. It is especially severe because it allows anyone on the Internet to decrypt your encrypted data sent using SSL/TLS and HTTPS technologies, at any point between your server and the client accessing your encrypted data. Attackers can eavesdrop and modify your encrypted communications if your both your server and the client is vulnerable; and can completely hijack the authenticated session, even if only the server is vulnerable.

You can find out more details of this vulnerability here:
http://ccsinjection.lepidum.co.jp/

To determine if your server(s) are vulnerable, check what version of OpenSSL is installed. All OpenSSL versions ARE vulnerable EXCEPT these listed below:

OpenSSL 1.0.1h is NOT vulnerable
OpenSSL 1.0.0m is NOT vulnerable
OpenSSL 0.9.8za is NOT vulnerable

If your server(s) are vulnerable, in order to fix this vulnerability, you will need to upgrade your version of OpenSSL; and ideally completely re-issue and re-install all your SSL certificate(s).

All Pantek Support Engineers have been advised of this issue, and trained in the appropriate response procedure. If you would like our assistance to determine if your server(s) are indeed vulnerable, or to fix the vulnerability, please contact our support team using any of the normal methods. For fastest response, we recommend opening a Support Ticket via the Pantek Portal: https://portal.pantek.com

Typically, our team can determine if your server is vulnerable with a time expenditure of 15 minutes. Vulnerable servers can typically be patched and SSL certificates replaced with an additional 30-45 minute time expenditure, but this may vary with certain configurations.

Pantek Clients who have purchased a Managed Service Plan will receive a separate notification, as management of these third-party security issues without incurring extra charges. You can find more details on our Managed Service Plans here:

https://www.pantek.com/managed

Critical Vulnerability Alert: “Heartbleed Bug”

A Major Vulnerability, nicknamed the “Heartbleed Bug” by security experts, has been identified. It is especially severe because it allows anyone on the Internet access to your encrypted data sent using SSL/TLS and HTTPS technologies. This compromises the secret keys used to encrypt the traffic, the names and passwords of the users and the actual content. It allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

You can find out more details of this vulnerability here: http://heartbleed.com

To determine if your server is vulnerable, you will need to check what version of OpenSSL is installed on your server. All OpenSSL versions 1.01 through 1.0.1f are vulnerable, but the following versions are already secure (and no further action would be required):

OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

If your server is vulnerable, in order to fix this vulnerability, you will need to both (a) Upgrade your version of OpenSSL; and (b) Completely re-issue and re-install all your SSL certificate(s).

All Pantek Support Engineers have been advised of this issue, and trained in the appropriate response procedure. If you would like our assistance to determine if your server(s) are indeed vulnerable, or to fix the vulnerability, please contact our support team using any of the normal methods. For fastest response, we recommend opening a Support Ticket via the Pantek Portal: https://portal.pantek.com

Pantek Clients who have purchased a Managed Service Plan will receive a separate notification, as management of these third-party security issues occurs without extra charges. You can find more details on our Managed Service Plans here:

https://www.pantek.com/managed

Miva Merchant 4 – End of Life Reminder

CybrHost reminds all customers that the Miva Merchant 4 shopping cart is reaching its End of Life.   Miva will begin discontinuing most support and updates for Miva Merchant Version 4 on 12/31/2011.  This email provides pertinent information on this  process,  as well as an overview of upgrade options and alternatives.

If you are not using Miva Merchant 4,  it is safe to disregard this message.

Read more

Dedicated Server Security Upgrade Notification

Upgrade Information for Dedicated Server Customers
with CentOS4, RHEL4, and Earlier Server OS versions.

This is a customer server security notification for 
Physical and Virtual Dedicated Server Customers.

Several operating system versions in use by our dedicated server customers will reach their “End of Life” early in 2012. This means the software manufacturers are ending support and will no longer provide security and maintenance updates.

All dedicated server customers using Red Hat or CentOS Linux versions 4 and earlier are affected.   In order to maintain system security, as well as PCI compliance, we strongly suggest upgrades for all customers running those versions.

How do I know if this server security alert affects me?

  • This alert affects customers with physical or virtual dedicated servers running versions of Red Hat Linux or CentOS Linux versions 4 or earlier.  CybrHost strongly recommends upgrading prior to December 31, 2011.
  • This does not affect customers who have purchased CybrHost Level 3 Managed Service Plans, as full operating system upgrades are included in your service.
  • This does not affect sites hosted on any CybrHost Shared Hosting Service.
  • We’re here to help:  If you are unsure what version you’re using or if you aren’t sure if this applies to you, just email support@cybrhost.com for assistance.

 

What does this server security alert mean for me?

Without these security and maintenance updates, your server can become more vulnerable to costly security incidents and service outages.  You will also lose PCI compliance or be unable to attain PCI compliance until you complete an upgrade.

As time progresses, your server will become increasingly vulnerable, as new security vulnerabilities are discovered on a regular basis.   If a security intrusion happens on your server, your cleanup costs could range in the hundreds to thousands of dollars.

What is involved with an upgrade, and how much will it cost?

In most cases, upgrading to a new server is straightforward and inexpensive.  After you have placed an upgrade order, CybrHost engineers will:

  • Setup a brand new server, running the latest software versions of the operating system, PHP, MySQL, and control panel.
  • Work with you to migrate your site(s) to the new server at a convenient time.
  • Test to ensure everything is working OK, then shutdown the old server.

The entire process usually causes little to no downtime.

To make this transition as seamless as possible for our customers, if you upgrade prior to November 1st, 2011,  CybrHost will provide the following pricing options:

  • Upgrade to latest OS –   $50.00 one time fee, with a 1 year term extension
  • Upgrade to latest OS –  $250.00 one time fee, with no term extension

Note:  these fees include the new server setup and migration only.  They do not include any custom programming or analysis which may be required when doing an upgrade of this nature.  This is atypical but can be required if you’re using any custom built applications, especially those which involve complex PHP or MySQL operations, as both PHP and MySQL will be upgraded to their latest versions as well.  If you’re not sure, just write to updates@cybrhost.net and we can assist you.

Will my site URLs or IP addresses change?

Your IP addresses and site URLs will all remain the same.

How can I avoid these updates or alerts in the future?

CybrHost’s Level 3 Managed Service Plan includes up to one full operating system upgrade per year for no additional cost.   For more information on our Managed Service Plans, please visit http://www.cybrhost.com/managed.html or call us at 216-344-3889 x.601

OK, I’m ready for the upgrade.   What do I do next?

Please contact our upgrade team, by writing to updates@cybrhost.net or calling 216-344-3889 x 601 to discuss and schedule your upgrade.