We’ve finally made it to the last day of October and we all know what that means, Happy Halloween! Given the timing I thought it would be appropriate to discuss something scary that was discovered earlier this month…
The so eloquently named “Dirty COW” (copy-on-write) vulnerability that came to light a couple of weeks ago is what nightmares are made of when you’re a web host. This vulnerability (CVE-2016-5195) had been lurking in the Linux kernel since 2007 until it was publicized and patched earlier this month. All of our servers were patched within hours of this discovery thanks to CloudLinux’s KernelCare which allows us to apply such hotfixes without rebooting.
Just as it is important for us to stay on top of these security updates, as a web hosting user you are equally responsible. Just last week, critical vulnerabilities were patched in Joomla that affected all versions dating back to version 3.4.4, which is more than a year old. Joomla 3.6.4 fixes these vulnerabilities and further details on this can be found here. If you haven’t updated by now you must consider your Joomla and the cPanel account compromised. These vulnerabilities have been actively exploited by bots and ultimately grant attackers complete access to your account.
Even taken separately, these two items are very serious. When you combine them, especially within such a short period of time, this quickly becomes a critical situation. Any Linux host that hasn’t patched the Dirty COW vulnerability and also has clients running vulnerable versions of Joomla may have a full server, root compromise on their hands and they might not even know it.
Again, our servers were patched immediately to address the Dirty COW vulnerability but this is a great example to stress the importance of keeping your scripts updated to the latest version whether you’re running Joomla, WordPress or something else. Scripts like these are very often just the doorway that allows attackers to cause even more harm. So please don’t leave the front door unlocked and make sure to keep your scripts updated at all times as you enjoy this Halloween 2016!