All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Emergency Maintenance on All BlueVM OpenVZ Services
This post is just to help catch anyone who has not already gotten an email from us about our current emergency maintenance.
Earlier this morning one of our pen testers came across a vulnerability in our OpenVZ Kernel which allows a container to escalate permissions to the root user on the host node.
Original email:
Hello,
>
We are performing emergency maintenance on ALL of our OpenVZ node servers, meaning EVERY OpenVZ server will be affected.
>
The kernel we operate on needs to be upgraded as soon as possible. But unfortunately this requires us to reboot each node server.
>
It should take no longer than 5 minutes per server. We are performing this maintenance NOW.
>
We apologise for the inconvenience caused, and the short notice. This was unavoidable.
>
If you have any questions, feel free to open a ticket.
>
Best Regards,
BlueVM Support
https://bluevm.com
Comments
It's a different one. The one from about a month ago didn't affect the Kernel we run.
This is an entirely different exploit...
This is an exploit a friend of a sysadmin has discovered himself - unrelated to the one a month ago, which doesn't affect the Kernel we run as Magiobiwan said.
Are you saying this is regarding a currently nonpublic 0day local kernel root exploit in linux?
It affects the 2.6.18 VZ Kernels, not the newer 2.6.32 ones.
Why not sharing the exploit details with the community?
As soon as we have finished our maintenance, yes.
So no one tries it on us?
Yes.
@Jack We use HyperVM, not SolusVM. SolusVM uses 2.6.32 Kernels, not the older 2.6.18 ones.
No one is aware yet I don't think, this exploit is still private at the moment.
If I remember correctly SolusVM uses the .18 on their CentOS 5 install (I may be wrong, don't quote me on it).
Anyone on 106.1 or below should upgrade to 107.1 as 107.1 is patched. This does not mean the vulnerability is known. It's still nonpublic.
So the known vulnerabilities that Ovz 106.2 has are:
Is this a different bug, not listed above?
UPDATE:
Anyone on 106.2 or below, upgrade to 107.1 as 107.1 is patched.
We received an exploit with little explanation as to it's actual usage and were told it is fixed in 107.1 and testing proved that to be the case. The description on each of the bugs @rds100 mentioned does not match the nature of this exploits method and until we finish our tests we will not be able to confirm that it is 100% a new bug or if the OpenVZ team already corrected this problem.
Currently 101.1 - 106.2 are listed as stable kernels with no known root exploits, thus this is why we have reason to believe this exploit is not known to the OpenVZ development team at this time.
@BlueVM so it was tested that the exploit does not work on 107.1 but works on 106.2 ?
@rds100 - Correct. Our current understanding is that a smaller bug was patched between 106.2 and 107.1 that solved a known bug, that bug as far as we are able to tell has a much broader application in that it can be exploited to attain root privileges on the host node.
Hmm... My VPS (Chicago) has been down since I received the e-mail 2.5 hours ago. The control panel (http://manage.bluevm.com:8888) is down too.
control panel is down but vps is working fine...
Server 1 in NY, which the HyperVM Control Panel is on, is currently not booting. We're working on fixing the issue now. @newlogin, if you open a ticket with as much info about your VPS as possible (IP, hostname as set in HyperVM, VPSID if you have it) we can manually boot it for you.
is it over now? control panel seems to working fine.
Control Panel is back online. ATL2 is being worked on now. We haven't done Some nodes yet due to these issues. Now that we know what CAUSED the problems we can make it so it doesn't happen on any other nodes.
Why would you use an older kernel anyhoo?
How do you mean? if you mean 2.6.18 it's because HyperVM isn't compatible.
@Jack after recent events and CVE noted vulnerabilities, I'd be hasty to update to a newer kernel.
What initiated your thoughts to use HyperVM over Solus? Are you trying to be different from the crowd, or do you have some form of a vendetta?
HyperVM only supports EL5 versions, and 2.6.18 Kernels. We're working on our own Control Panel that will support EL6, newer OpenVZ Kernels, vSwap, etc.
@eastonch - Why would any company that's trying to offer a "low end" product spend more than $1k a month on a control panel? I'd rather have an extra person on staff...
Clever point of view!
iptables support is broken in Chicago. When I was advised to re-enable iptables support in HyperVM I found that that control (at least) is broken too. I was told that a BIOS password (?) was needed from the datacenter to fix this.
So far the "5 minutes" emergency maintenance has come to 4 hours of downtime followed by 14 hours without a firewall.