A hole in your Linux system. Now what?

Linux is known for its high level of security. At the same time, it is and remains software and prone to vulnerabilities. This was evident recently, when it was revealed that a dangerous leak has been in Linux since 2009. In our new blog, we tell you more about it!

The Linux operating system is known to be extremely secure, but that doesn’t mean it can’t have bugs. Indeed, on Jan. 25 last year it was revealed that a particular component (pkexec) of all major Linux installations contains a leak that has been there since 2009. A dream for hackers, because any user of the Linux system can get the highest privileges and that too independently of the hardware used. Absolute administration rights, therefore, with all the possible consequences. The bug runs on billions of computers worldwide.

What does that mean?

Of course, in the practice of backing up and archiving data, this also has implications. If Linux is part of your backup or archive infrastructure, it is critical. For example, with so-called immutable backups such as those offered by Veeam, among others. Immutable backup means that you can specify in your software whether you want a backup to be immutable. This backup then goes first through a Linux box, which sets an immutable flag. Then these data are put into storage. Now the point is that as a root user you can simply remove this immutable flag. And so then you can delete or change this backup. For S3 repositories residing on Linux-based storage, by the way, the same applies regarding S3 immutability.

What can you do?

To avoid this, there are a few things you can do. For example, make sure someone cannot get on this Linux box if he or she is not physically in front of it. However, this is not always achievable in practice. Another solution is to provide a hardware-based air-gapped backup, such as the Silent Bricks. But beware! This is really different from the software air-gap that storage vendors often offer, including Linux-based ones. This software ensures that a connection to the storage can only be made at certain times. But this storage is also Linux-based, and a user who can get in there can also become a root user. This root user can then also delete the virtual air-gap.

Problem solved? No!

As far as we know, the leak has not yet been closed. But it is not public how to exploit the leak. However, it is important to install a patch immediately as soon as it is available. In the meantime, remember that a software air-gap is not a real air-gap. So always provide a hardware-based air-gap! Want to know more? Find out what COMEX can do!