RACK911Labs.ca security researchers identified a vulnerability in the BitNinja MalwareDetection module. The vulnerability is a symlink attack, allowing a remote attacker to delete root-owned files caused by a race condition in the quarantining process.
We have already patched the vulnerability by implementing the k-race algorithm and changing the effective user id of the module process. We released the fix with the agent version 2.23.5.
We also initiated an auto-upgrade for all agents, and most of them are already running the patched version. On some BitNinja protected servers, the automated upgrade process failed. To avoid any risk regarding this vulnerability we have disabled the malware detection module on every agent which is older than 2.23.5. version.
Check out your servers’ agent version on the Console. You can see it immediately when you sign in on the server card.
Update the agent if it is older than the 2.23.5. version!
If you use Debian or Ubuntu, use the following command:apt-get updateapt-get install bitninja
apt-get updateapt-get install bitninja
If you use CentOs, use this command:yum update bitninja
yum update bitninja
If the installation fails because of the GPG key, you can use the following commands to update:apt-get updateapt-key adv --keyserver keys.gnupg.net --recv-key 7F8B47DC
apt-get updateapt-key adv --keyserver keys.gnupg.net --recv-key 7F8B47DC
If this doesn’t work, you can use this command:wget -O- http://apt.bitninja.io/7F8B47DC.gpg | apt-key add -
wget -O- http://apt.bitninja.io/7F8B47DC.gpg | apt-key add -
If the agent update doesn’t work, you may run into this error message when trying to use yum to update your packages on your CentOS 6 server:yum updateLoaded plugins: fastestmirrorSetting up Update ProcessDetermining fastest mirrorsYumRepo Error: All mirror URLs are not using ftp, http[s] or file.Eg. Invalid release/repo/arch combination/removing mirrorlist with no valid mirrors: /var/cache/yum/x86_64/6/base/mirrorlist.txtError: Cannot find a valid baseurl for repo: base
yum updateLoaded plugins: fastestmirrorSetting up Update ProcessDetermining fastest mirrorsYumRepo Error: All mirror URLs are not using ftp, http[s] or file.Eg. Invalid release/repo/arch combination/removing mirrorlist with no valid mirrors: /var/cache/yum/x86_64/6/base/mirrorlist.txtError: Cannot find a valid baseurl for repo: base
The issue can be resolved by pointing your yum repository configuration to the latest 6.10 CentOs vault. You can find more information about the lifecycle of other CentOS versions on this link. After the repository configuration is done, BitNinja can be updated too alongside the other packages as usual.
Issue this command to update the repo config file:curl https://www.getpagespeed.com/files/centos6-eol.repo --output /etc/yum.repos.d/CentOS-Base.repo
curl https://www.getpagespeed.com/files/centos6-eol.repo --output /etc/yum.repos.d/CentOS-Base.repo
You can also update the repo config manually if you open the /etc/yum.repos.d/CentOS-Base.repo file and replace the content of the file with the text below.
cat <<-'EOF' > /etc/yum.repos.d/CentOS-Base.repo[C6.10-base]name=CentOS-6.10 - Basebaseurl=http://vault.centos.org/6.10/os/$basearch/gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6enabled=1metadata_expire=never
[C6.10-updates]name=CentOS-6.10 - Updatesbaseurl=http://vault.centos.org/6.10/updates/$basearch/gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6enabled=1metadata_expire=never
[C6.10-extras]name=CentOS-6.10 - Extrasbaseurl=http://vault.centos.org/6.10/extras/$basearch/gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6enabled=1metadata_expire=never
[C6.10-contrib]name=CentOS-6.10 - Contribbaseurl=http://vault.centos.org/6.10/contrib/$basearch/gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6enabled=0metadata_expire=never
[C6.10-centosplus]name=CentOS-6.10 - CentOSPlusbaseurl=http://vault.centos.org/6.10/centosplus/$basearch/gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6enabled=0metadata_expire=neverEOF
Usually, it is not necessary to change the BitNinja.repo file. Still, the above-mentioned method doesn’t work for some reason, or you want to make sure you can change the $releasever variable in the file to the OS version in CentOS 6’s case is number 6.
The file can be found at /etc/yum.repos.d/BitNinja.repo and it looks like on the screenshot below by default.
And change it to look like this one:
After you have completed the installation of the new version of the agent, restart it manually.
And you are done!
Please feel free to contact our customer support if you need any help updating the agent on your servers. You can contact us via email or ping us on the console. Thank you for your cooperation!
Let’s make the Internet safer together!
Start the 7-day free trial with full functionality without spending a cent.
After the “Hello, Peppa!” zero-day botnet, our Attack Vector Miner detected another zero-day...
At the end of the last year, we made...