Malware Detection Vulnerability Patch

RACK911Labs.ca security researchers identified a vulnerability in the BitNinja MalwareDetection module. The vulnerability is a symlink attack, allowing a remote attacker to delete root-owned files caused by a race condition in the quarantining process.

We have already patched the vulnerability by implementing the k-race algorithm and changing the effective user id of the module process. We released the fix with the agent version 2.23.5.

We also initiated an auto-upgrade for all agents, and most of them are already running the patched version. On some BitNinja protected servers, the automated upgrade process failed. To avoid any risk regarding this vulnerability we have disabled the malware detection module on every agent which is older than 2.23.5. version.

What to do?

process

Step #1

Check out your servers’ agent version on the Console. You can see it immediately when you sign in on the server card.

Step #2

Update the agent if it is older than the 2.23.5. version!

Debian, Ubuntu

If you use Debian or Ubuntu, use the following command:
apt-get update
apt-get install bitninja

CentOS

If you use CentOs, use this command:
yum update bitninja

Step #3

Debian, Ubuntu

If the installation fails because of the GPG key, you can use the following commands to update:
apt-get update
apt-key adv --keyserver keys.gnupg.net --recv-key 7F8B47DC

If this doesn’t work, you can use this command:
wget -O- http://apt.bitninja.io/7F8B47DC.gpg | apt-key add -

CentOS 6 EOL

If the agent update doesn’t work, you may run into this error message when trying to use yum to update your packages on your CentOS 6 server:
yum update
Loaded plugins: fastestmirror
Setting up Update Process
Determining fastest mirrors
YumRepo Error: All mirror URLs are not using ftp, http[s] or file.
Eg. Invalid release/repo/arch combination/
removing mirrorlist with no valid mirrors: /var/cache/yum/x86_64/6/base/mirrorlist.txt
Error: Cannot find a valid baseurl for repo: base

The issue can be resolved by pointing your yum repository configuration to the latest 6.10 CentOs vault. You can find more information about the lifecycle of other CentOS versions on this link. After the repository configuration is done, BitNinja can be updated too alongside the other packages as usual.

How to fix the repo config in CentOS 6?

Issue this command to update the repo config file:
curl https://www.getpagespeed.com/files/centos6-eol.repo --output /etc/yum.repos.d/CentOS-Base.repo

You can also update the repo config manually if you open the /etc/yum.repos.d/CentOS-Base.repo file and replace the content of the file with the text below.

cat <<-'EOF' > /etc/yum.repos.d/CentOS-Base.repo
[C6.10-base]
name=CentOS-6.10 - Base
baseurl=http://vault.centos.org/6.10/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
enabled=1
metadata_expire=never

[C6.10-updates]
name=CentOS-6.10 - Updates
baseurl=http://vault.centos.org/6.10/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
enabled=1
metadata_expire=never

[C6.10-extras]
name=CentOS-6.10 - Extras
baseurl=http://vault.centos.org/6.10/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
enabled=1
metadata_expire=never

[C6.10-contrib]
name=CentOS-6.10 - Contrib
baseurl=http://vault.centos.org/6.10/contrib/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
enabled=0
metadata_expire=never

[C6.10-centosplus]
name=CentOS-6.10 - CentOSPlus
baseurl=http://vault.centos.org/6.10/centosplus/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
enabled=0
metadata_expire=never
EOF

Usually, it is not necessary to change the BitNinja.repo file. Still, the above-mentioned method doesn’t work for some reason, or you want to make sure you can change the $releasever variable in the file to the OS version in CentOS 6’s case is number 6.

The file can be found at /etc/yum.repos.d/BitNinja.repo and it looks like on the screenshot below by default.

repo2

And change it to look like this one:

repo1

Step #4

After you have completed the installation of the new version of the agent, restart it manually.

And you are done!

Please feel free to contact our customer support if you need any help updating the agent on your servers. You can contact us via email or ping us on the console. Thank you for your cooperation!

Let’s make the Internet safer together!

George Egri
CEO