RSS Feed
Latest Updates
Jan
30
Network Maintenance: Chicago Core Hardware Replacement
Posted by Kevin Stange on 30 January 2015 03:07 PM

We have scheduled a hardware replacement in one of our core routers in Chicago, IL to address a known issue.

Date: Sunday, February 8th, 2015
Start Time: 12:00 AM CST (GMT -6)
End Time: 3:00 AM CST (GMT -6)
Maintenance Scope: Line card replacement in core router in Chicago, IL

Customer Impact:

We expect the customer impact of this maintenance to be minimal, though some brief periods of localized inaccessibility and sub-optimal routing may occur.  If you are a BGP customer, please verify that you have dual sessions established to avoid an extended interruption in service during the work.

During the maintenance, we will replace a line card in one of our core routers due to recommendations from our hardware vendor. This router will be removed from production gracefully, have its hardware replaced, then be brought back into production.

While the work itself is expected to be completed quickly, we are reserving extra time to allow for extensive testing. This will give us the ability to ensure that all carriers are back online and traffic is flowing as expected within the maintenance window.

If you need assistance during the maintenance, or if you have any questions about this planned work, please contact us via our helpdesk or by calling (312) 602-2689 or (888) 281-9449.


Read more »



Jan
27
Security Advisory: Critical glibc Security Vulnerability
Posted by Kevin Stange on 27 January 2015 12:40 PM

A vulnerability has recently been disclosed in the GNU C Library (glibc) which affects all systems running CentOS 5 - 7, and Debian 7 "Wheezy."  This vulnerability is serious and may allow a remote user to trick your server into running code with the privilege level of a service like web or mail.

This vulnerability exists in all common versions of glibc through 2.17.  It was fixed in version 2.18 in mid-2013 but was not regarded as a security issue and so no security release was made for previous versions at the time.

This issue is known as the "GHOST" vulnerability.  It has been assigned the ID CVE-2015-0235 in the Common Vulnerabilities and Exposures database.  Qualys, the company that discovered the vulnerability, has published a useful article explaining what GHOST is.

Windows servers do not use glibc.  You may wish to check any third-party software you have installed for bulletins and updates, if applicable.  Some third-party applications include a separate copy of glibc instead of using the operating system version.

CentOS and Debian have patched this vulnerability as of January 27th, 2015.  To completely patch this vulnerability, you must update your glibc package and then restart all services that use glibc.  Because of the fact that glibc is used by nearly every application in Linux, it is strongly recommended that you reboot your server after installing the update to ensure nothing is missed.

CentOS

To check which version of glibc is installed, run the following command:

rpm -q glibc

The version number should be greater than or equal to the following, based on the version of CentOS you are using:

  • CentOS 5: 2.5-123.el5_11.1
  • CentOS 6: 2.12-1.149.el6_6.5
  • CentOS 7: 2.17-55.el7_0.5

When reading a version number from left to right, if you reach a number that is higher than the above version for your OS, you likely already have a patched version.  For example, 2.5-124 is newer than 2.5-123.el5_11.1. If you have any doubt, please contact support and we will be happy to review your system.  If your version number is lower, please run the following command and ensure an update to the openssl package is included:

yum -y update glibc

If no update is available, please try the following commands, then repeat the command above:

yum clean metadata

After the upgrade processes, you should restart your web server and all other services running on your system.  For example, to restart your web server, you can run the following command:

service httpd restart

If you have a control panel, you should step through each service listed in the "Services" area of the control panel and restart them one by one.  If you have any doubts about which services to restart, we recommend restarting your entire server.  You can do this by running the command:

reboot

Red Hat published the following advisories regarding this vulnerability:

  • https://access.redhat.com/security/cve/CVE-2015-0235
  • CentOS 5: https://rhn.redhat.com/errata/RHSA-2015-0090.html
  • CentOS 6 & 7: https://rhn.redhat.com/errata/RHSA-2015-0092.html

Debian 7

To check which version of glibc is installed, run the following command:

dpkg -s libc6 | grep Version

The version number should be greater than or equal to 2.13-38+deb7u7.

The notable part to look for is the "+deb7u7" at the end.  If the last number is not 7 or higher, or the part after "+" is missing, you will need to upgrade.  If your version number is lower, please run the following command and ensure an update to the libc6 packages are included:

apt-get update
apt-get install -y libc6

For example, to restart your web server, you can run the following command:

service apache2 restart

If you have a control panel, you should step through each service listed in the "Services" area of the control panel and restart them one by one.  If you have any doubts about which services to restart, we recommend restarting your entire server.  You can do this by running the command:

reboot

Debian published the following advisories regarding this vulnerability:

  • https://www.debian.org/security/2015/dsa-3142
  • https://security-tracker.debian.org/tracker/CVE-2015-0235

If you have any questions or need assistance performing these upgrades, please contact us and we'll be happy to help.


Read more »



Oct
29
R1Soft Server Backup Upgrade
Posted by Kevin Stange on 29 October 2014 03:36 PM

We have scheduled an upgrade of our R1Soft Server Backup (formerly Idera Server Backup or R1Soft CDP) platform software on cdp01.steadfast.net to version 5.8.1.  This update will fix minor bugs and disable SSLv3 support as a means to mitigate the POODLE vulnerability.  Please note that POODLE attacks require use of the web-based backup manager.  SSLv3 is not used for taking backups.

This upgrade is being performed during the daytime, mid-week, because it is the lowest utilization period.

Date: Wednesday, November 5th, 2014
Start Time: 2:00 PM CST (GMT -6)
End Time: 3:00 PM CST (GMT -6)
Maintenance Scope: cdp01.steadfast.net Backup Server

Customer Impact:

Backups will not be performed and restoration services will be unavailable during the maintenance period. This maintenance will not impact customer equipment or services other than backup tasks.

If you are not already running agent version 5.8 or newer, it is strongly recommended.  It is safe to upgrade the agent to version 5.8.1 before the manager has been upgraded.

The full release notes may be viewed here.

If you have any questions regarding this maintenance, or for assistance in upgrading the agent on your server(s), please feel free to contact us via our helpdesk or by email.


Read more »



Oct
15
Updated: Security Advisory: Important SSL Vulnerability
Posted by Kevin Stange on 15 October 2014 02:12 PM

Update 10/16 5:00 PM CDT: CentOS has released OpenSSL packages that provide limited protection for clients that connect using TLS.  This does not fix the issue in SSL version 3.0 and we still recommend disabling it completely even if you update OpenSSL.  The following message has been revised with the new information.

A vulnerability has recently been disclosed, which affects all software that supports SSL version 3.0.  This problem impacts all operating systems, including CentOS, Windows, and Debian.  This issue is known as "POODLE" which stands for "Padding Oracle On Downgraded Legacy Encryption."  It has been assigned ID CVE-2014-3566 in the Common Vulnerabilities and Exposures database.

This vulnerability may allow a third party to decrypt information with a trivial amount effort if they are able to force an encrypted connection to downgrade from TLS to SSL and repeatedly try to send the same data over and over.  The highest risk of this situation exists for users that connect to servers from public networks.  It affects most client software, such as web browsers and email clients, and most server software, including web servers, mail servers, and control panels.

The vulnerability is a flaw in the design of SSL version 3.0, which was the final version of SSL before it was superseded by the new TLS standard in 1999.  The TLS standard is often referred to as "SSL" along with the SSL standard, however TLS is not directly impacted.

There is no patch to solve the SSL problem, as it is a design flaw in the protocol.  However, CentOS has released updated packages for OpenSSL that implement a security feature in TLS to prevent downgrading a connection to SSL unsafely.  A connection that is established using SSL directly will still be vulnerable.  Other operating systems have not yet received updates.

If you wish to install the updated packages, run the following on a CentOS server:

yum clean all
yum -y update openssl

You should then restart any other services that use OpenSSL, such as your web server and mail server.

We still recommend completely disabling SSL version 3.0 in your applications and services, as it is the only way to fully eliminate the vulnerability.  This process varies for each individual service and operating system and is beyond the reasonable scope of this announcement to explain.

Google and Mozilla have also indicated plans to release software updates to web browsers in the near future to disable SSL version 3.0 completely and to implement new protections to prevent the technique of the exploit from working.  Microsoft has not announced any specific plans for removing SSL version 3.0 from any software.  All modern web browsers and other client software support TLS versions 1.0 or higher.  The most recent revision of TLS is version 1.2.

If you have any questions or need assistance with disabling SSL version 3.0 for any of your services, please contact us and we'll be happy to help.


Read more »



Sep
25
Security Advisory: Critical Bash Shell Vulnerability
Posted by Kevin Stange on 25 September 2014 02:21 PM

Update 9/26 at 10:40 AM CDT: A newer version of Bash has been released that fixes additional security problems.  This announcement has been updated with the new version numbers to look for and updated references.  Please review the information below for further details.

A vulnerability has recently been disclosed in Bash (the GNU Bourne Again shell) which affects all systems running Linux.  This vulnerability allows programs that allow users to provide values for variables to execute arbitrary commands with the privileges of the service.  This issue does not permit direct privilege escalation.  It has been assigned the ID CVE-2014-6271 in the Common Vunerabilities and Exposures database.  It has been given the nickname "Shellshock."

CentOS and Debian patched this vulnerability partially on September 24, 2014 and issued further fixes on September 25, 2014 under new ID CVE-2014-7169.  To apply the fixes, you need only update the version of your installed Bash program.  If you have created any services that run entirely as a Bash shell script, you should restart those services after updating.  Bash-based services are not common.

Windows and FreeBSD servers do not use Bash by default and are not generally affected.  If you have installed Bash on your server manually, you should make sure it is up to date using the process by which you originally installed it.

Please review the sections below to determine how to update Bash on your server.

CentOS

To check which version of Bash is installed, run the following command:

rpm -q bash

The version number should be greater than or equal than one of the following:

  • CentOS 5: bash-3.2-33.el5_10.4
  • CentOS 6: bash-4.1.2-15.el6_5.2
  • CentOS 7: bash-4.2.45-5.el7_0.4

The important portion of the version number is the part beginning with ".elX_" where X is 5, 6, or 7.  If you read the part after the "_" as a decimal number, it must be greater than or equal to the version listed.  For example, for ".el6_" the number should be "5.2" or any higher number.

If your version does not match, please run the following command and ensure an update to the bash package is included:

yum -y update bash

If no update is available, please try the following commands, then repeat the command above:

yum clean metadata

Red Hat published the following advisories regarding this vulnerability:

  • https://access.redhat.com/security/cve/CVE-2014-6271
  • https://access.redhat.com/security/cve/CVE-2014-7169
  • https://rhn.redhat.com/errata/RHSA-2014-1293.html
  • https://rhn.redhat.com/errata/RHSA-2014-1306.html
  • https://access.redhat.com/articles/1200223
  • https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

Debian 7

To check which version of Bash is installed, run the following command:

dpkg -s bash | grep Version

The version number should be greater than or equal to 4.2+dfsg-0.1+deb7u3.

The notable part to look for is the "+deb7u3" at the end.  If the last number is not 3 or higher, or the part after "+" is missing, you will need to upgrade.  If your version does not match, please run the following command and ensure an update to the bash package is included:

apt-get update
apt-get install -y bash

Debian published the following advisories regarding this vulnerability:

  • https://www.debian.org/security/2014/dsa-3032
  • https://www.debian.org/security/2014/dsa-3035

If you have any questions or need assistance performing these upgrades, please contact us and we'll be happy to help.


Read more »